Action not permitted
Modal body text goes here.
cve-2022-45693
Vulnerability from cvelistv5
Published
2022-12-13 00:00
Modified
2024-08-03 14:17
Severity ?
EPSS score ?
Summary
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
References
▼ | URL | Tags | |
---|---|---|---|
cve@mitre.org | https://github.com/jettison-json/jettison/issues/52 | Exploit, Issue Tracking, Third Party Advisory | |
cve@mitre.org | https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html | Mailing List, Third Party Advisory | |
cve@mitre.org | https://www.debian.org/security/2023/dsa-5312 | Third Party Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T14:17:04.076Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/jettison-json/jettison/issues/52" }, { "name": "[debian-lts-announce] 20221231 [SECURITY] [DLA 3259-1] libjettison-java security update", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" }, { "name": "DSA-5312", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.debian.org/security/2023/dsa-5312" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-01-11T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/jettison-json/jettison/issues/52" }, { "name": "[debian-lts-announce] 20221231 [SECURITY] [DLA 3259-1] libjettison-java security update", "tags": [ "mailing-list" ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" }, { "name": "DSA-5312", "tags": [ "vendor-advisory" ], "url": "https://www.debian.org/security/2023/dsa-5312" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-45693", "datePublished": "2022-12-13T00:00:00", "dateReserved": "2022-11-21T00:00:00", "dateUpdated": "2024-08-03T14:17:04.076Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-45693\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-12-13T15:15:11.447\",\"lastModified\":\"2023-01-26T17:35:45.193\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 que Jettison anterior a v1.5.2 conten\u00eda un desbordamiento de pila a trav\u00e9s del par\u00e1metro map. Esta vulnerabilidad permite a los atacantes provocar una Denegaci\u00f3n de Servicio (DoS) a trav\u00e9s de una cadena manipulada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-787\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jettison_project:jettison:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.5.2\",\"matchCriteriaId\":\"A52261E1-B166-486D-90BA-E49155176361\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://github.com/jettison-json/jettison/issues/52\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2023/dsa-5312\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
rhsa-2024_1027
Vulnerability from csaf_redhat
Published
2024-02-28 18:13
Modified
2024-11-15 17:44
Summary
Red Hat Security Advisory: Migration Toolkit for Applications security update
Notes
Topic
An update is now available for MTA-6.2-RHEL-8 and MTA-6.2-RHEL-9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Migration Toolkit for Applications
Security Fix(es):
* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* guava: insecure temporary directory creation (CVE-2023-2976)
* follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)
* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)
* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)
* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for MTA-6.2-RHEL-8 and MTA-6.2-RHEL-9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Migration Toolkit for Applications \n\nSecurity Fix(es):\n\n* golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* apache-ivy: XML External Entity vulnerability (CVE-2022-46751)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* guava: insecure temporary directory creation (CVE-2023-2976)\n\n* follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse() (CVE-2023-26159)\n\n* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)\n\n* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)\n\n* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2024:1027", "url": "https://access.redhat.com/errata/RHSA-2024:1027" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "2107376", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107376" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "2182788", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788" }, { "category": "external", "summary": "2215214", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215214" }, { "category": "external", "summary": "2215229", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215229" }, { "category": "external", "summary": "2222167", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222167" }, { "category": "external", "summary": "2228743", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228743" }, { "category": "external", "summary": "2233112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233112" }, { "category": "external", "summary": "2256413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413" }, { "category": "external", "summary": "MTA-87", "url": "https://issues.redhat.com/browse/MTA-87" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1027.json" } ], "title": "Red Hat Security Advisory: Migration Toolkit for Applications security update", "tracking": { "current_release_date": "2024-11-15T17:44:02+00:00", "generator": { "date": "2024-11-15T17:44:02+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2024:1027", "initial_release_date": "2024-02-28T18:13:39+00:00", "revision_history": [ { "date": "2024-02-28T18:13:39+00:00", "number": "1", "summary": "Initial version" }, { "date": "2024-02-28T18:13:39+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T17:44:02+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "MTA 6.2 for RHEL 8", "product": { "name": "MTA 6.2 for RHEL 8", "product_id": "9Base-MTA-6.2", "product_identification_helper": { "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el9" } } }, { "category": "product_name", "name": "MTA 6.2 for RHEL 8", "product": { "name": "MTA 6.2 for RHEL 8", "product_id": "8Base-MTA-6.2", "product_identification_helper": { "cpe": "cpe:/a:redhat:migration_toolkit_applications:6.2::el8" } } } ], "category": "product_family", "name": "Migration Toolkit for Applications" }, { "branches": [ { "category": "product_version", "name": "mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "product": { "name": "mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "product_id": "mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "product_identification_helper": { "purl": "pkg:oci/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-hub-rhel9\u0026tag=6.2.2-2" } } }, { "category": "product_version", "name": "mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "product": { "name": "mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "product_id": "mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "product_identification_helper": { "purl": "pkg:oci/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-operator-bundle\u0026tag=6.2.2-5" } } }, { "category": "product_version", "name": "mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "product": { "name": "mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "product_id": "mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "product_identification_helper": { "purl": "pkg:oci/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-rhel8-operator\u0026tag=6.2.2-3" } } }, { "category": "product_version", "name": "mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "product": { "name": "mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "product_id": "mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "product_identification_helper": { "purl": "pkg:oci/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-pathfinder-rhel9\u0026tag=6.2.2-2" } } }, { "category": "product_version", "name": "mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "product": { "name": "mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "product_id": "mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "product_identification_helper": { "purl": "pkg:oci/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-ui-rhel9\u0026tag=6.2.2-2" } } }, { "category": "product_version", "name": "mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64", "product": { "name": "mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64", "product_id": "mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64", "product_identification_helper": { "purl": "pkg:oci/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc?arch=amd64\u0026repository_url=registry.redhat.io/mta/mta-windup-addon-rhel9\u0026tag=6.2.2-3" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64 as a component of MTA 6.2 for RHEL 8", "product_id": "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64" }, "product_reference": "mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "relates_to_product_reference": "8Base-MTA-6.2" }, { "category": "default_component_of", "full_product_name": { "name": "mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64 as a component of MTA 6.2 for RHEL 8", "product_id": "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64" }, "product_reference": "mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "relates_to_product_reference": "9Base-MTA-6.2" }, { "category": "default_component_of", "full_product_name": { "name": "mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64 as a component of MTA 6.2 for RHEL 8", "product_id": "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64" }, "product_reference": "mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "relates_to_product_reference": "9Base-MTA-6.2" }, { "category": "default_component_of", "full_product_name": { "name": "mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64 as a component of MTA 6.2 for RHEL 8", "product_id": "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64" }, "product_reference": "mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "relates_to_product_reference": "9Base-MTA-6.2" }, { "category": "default_component_of", "full_product_name": { "name": "mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64 as a component of MTA 6.2 for RHEL 8", "product_id": "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64" }, "product_reference": "mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "relates_to_product_reference": "9Base-MTA-6.2" }, { "category": "default_component_of", "full_product_name": { "name": "mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64 as a component of MTA 6.2 for RHEL 8", "product_id": "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" }, "product_reference": "mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64", "relates_to_product_reference": "9Base-MTA-6.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-1962", "cwe": { "id": "CWE-1325", "name": "Improperly Controlled Sequential Memory Allocation" }, "discovery_date": "2022-07-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2107376" } ], "notes": [ { "category": "description", "text": "A flaw was found in the golang standard library, go/parser. When calling any Parse functions on the Go source code, which contains deeply nested types or declarations, a panic can occur due to stack exhaustion. This issue allows an attacker to impact system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: go/parser: stack exhaustion in all Parse* functions", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1962" }, { "category": "external", "summary": "RHBZ#2107376", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2107376" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1962", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1962" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1962", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1962" }, { "category": "external", "summary": "https://go.dev/issue/53616", "url": "https://go.dev/issue/53616" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE", "url": "https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE" } ], "release_date": "2022-07-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: go/parser: stack exhaustion in all Parse* functions" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46751", "cwe": { "id": "CWE-91", "name": "XML Injection (aka Blind XPath Injection)" }, "discovery_date": "2023-08-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2233112" } ], "notes": [ { "category": "description", "text": "Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.\n\nWhen Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.\n\nThis can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.\n\nStarting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.\n\nUsers of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about \"JAXP Properties for External Access restrictions\" inside Oracle\u0027s \"Java API for XML Processing (JAXP) Security Guide\".\n\n", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-ivy: XML External Entity vulnerability", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46751" }, { "category": "external", "summary": "RHBZ#2233112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233112" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46751", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46751" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46751", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46751" }, { "category": "external", "summary": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8", "url": "https://lists.apache.org/thread/1dj60hg5nr36kjr4p1100dwjrqookps8" } ], "release_date": "2023-08-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache-ivy: XML External Entity vulnerability" }, { "cve": "CVE-2023-1436", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2023-03-29T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2182788" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: Uncontrolled Recursion in JSONArray", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-1436" }, { "category": "external", "summary": "RHBZ#2182788", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182788" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1436", "url": "https://www.cve.org/CVERecord?id=CVE-2023-1436" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436" }, { "category": "external", "summary": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", "url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/" } ], "release_date": "2023-03-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: Uncontrolled Recursion in JSONArray" }, { "cve": "CVE-2023-2976", "cwe": { "id": "CWE-552", "name": "Files or Directories Accessible to External Parties" }, "discovery_date": "2023-06-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2215229" } ], "notes": [ { "category": "description", "text": "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", "title": "Vulnerability description" }, { "category": "summary", "text": "guava: insecure temporary directory creation", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-2976" }, { "category": "external", "summary": "RHBZ#2215229", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215229" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-2976", "url": "https://www.cve.org/CVERecord?id=CVE-2023-2976" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976" } ], "release_date": "2023-06-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" }, { "category": "workaround", "details": "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "guava: insecure temporary directory creation" }, { "cve": "CVE-2023-26159", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2024-01-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2256413" } ], "notes": [ { "category": "description", "text": "An Improper Input Validation flaw was found in follow-redirects due to the improper handling of URLs by the url.parse() function. When a new URL() throws an error, it can be manipulated to misinterpret the hostname. This issue could allow an attacker to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.", "title": "Vulnerability description" }, { "category": "summary", "text": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()", "title": "Vulnerability summary" }, { "category": "other", "text": "follow-redirects is a transitive dependency of Grafana, and does not affect Red Hat Enterprise Linux 8.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-26159" }, { "category": "external", "summary": "RHBZ#2256413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256413" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-26159", "url": "https://www.cve.org/CVERecord?id=CVE-2023-26159" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26159" } ], "release_date": "2024-01-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" }, { "category": "workaround", "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "follow-redirects: Improper Input Validation due to the improper handling of URLs by the url.parse()" }, { "cve": "CVE-2023-29406", "cwe": { "id": "CWE-113", "name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)" }, "discovery_date": "2023-07-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2222167" } ], "notes": [ { "category": "description", "text": "A flaw was found in Golang, where it is vulnerable to HTTP header injection caused by improper content validation of the Host header by the HTTP/1 client. A remote attacker can inject arbitrary HTTP headers by persuading a victim to visit a specially crafted Web page. This flaw allows the attacker to conduct various attacks against the vulnerable system, including Cross-site scripting, cache poisoning, or session hijacking.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: net/http: insufficient sanitization of Host header", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-29406" }, { "category": "external", "summary": "RHBZ#2222167", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2222167" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-29406", "url": "https://www.cve.org/CVERecord?id=CVE-2023-29406" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29406" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/2q13H6LEEx0", "url": "https://groups.google.com/g/golang-announce/c/2q13H6LEEx0" } ], "release_date": "2023-07-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: net/http: insufficient sanitization of Host header" }, { "cve": "CVE-2023-29409", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-08-03T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2228743" } ], "notes": [ { "category": "description", "text": "A denial of service vulnerability was found in the Golang Go package caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, a remote attacker can cause a client/server to expend significant CPU time verifying signatures, resulting in a denial of service condition.", "title": "Vulnerability description" }, { "category": "summary", "text": "golang: crypto/tls: slow verification of certificate chains containing large RSA keys", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-29409" }, { "category": "external", "summary": "RHBZ#2228743", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2228743" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-29409", "url": "https://www.cve.org/CVERecord?id=CVE-2023-29409" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29409" }, { "category": "external", "summary": "https://go.dev/cl/515257", "url": "https://go.dev/cl/515257" }, { "category": "external", "summary": "https://go.dev/issue/61460", "url": "https://go.dev/issue/61460" }, { "category": "external", "summary": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ", "url": "https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI/m/Efv5DbZ9AwAJ" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2023-1987", "url": "https://pkg.go.dev/vuln/GO-2023-1987" } ], "release_date": "2023-08-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "golang: crypto/tls: slow verification of certificate chains containing large RSA keys" }, { "cve": "CVE-2023-35116", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2023-06-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2215214" } ], "notes": [ { "category": "description", "text": "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor\u0027s perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: denial of service via cylic dependencies", "title": "Vulnerability summary" }, { "category": "other", "text": "This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-35116" }, { "category": "external", "summary": "RHBZ#2215214", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2215214" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-35116", "url": "https://www.cve.org/CVERecord?id=CVE-2023-35116" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-35116", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35116" } ], "release_date": "2023-06-14T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2024-02-28T18:13:39+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2024:1027" }, { "category": "workaround", "details": "jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.", "product_ids": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-MTA-6.2:mta/mta-rhel8-operator@sha256:e1e6f80467054b95379c1b482800a656917e1cfd35d8fac2d4f6ff4091088a67_amd64", "9Base-MTA-6.2:mta/mta-hub-rhel9@sha256:b232b42b2de4be2d7c67ef2418070b155b79a275e2cbba343a04c22c1e016662_amd64", "9Base-MTA-6.2:mta/mta-operator-bundle@sha256:d142049160f51b71f1c9d970e23824952ca35e7c2e23d6c8753a33e727b87b81_amd64", "9Base-MTA-6.2:mta/mta-pathfinder-rhel9@sha256:781aef6a3a23c765a31e38a36ebc4c40957249888532f46a77d320f416816508_amd64", "9Base-MTA-6.2:mta/mta-ui-rhel9@sha256:2e10de6bd9bb24a03579f555b71e6ff57f2c9d74cf3b79ec42e9dba4cab628a1_amd64", "9Base-MTA-6.2:mta/mta-windup-addon-rhel9@sha256:73671e9d3c4bf624d1a6745c5002b93b158519abf6b13c7bb0e1491d873316fc_amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: denial of service via cylic dependencies" } ] }
rhsa-2023_1045
Vulnerability from csaf_redhat
Published
2023-03-01 21:45
Modified
2024-11-21 21:15
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:1045", "url": "https://access.redhat.com/errata/RHSA-2023:1045" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2148496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496" }, { "category": "external", "summary": "2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1045.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9", "tracking": { "current_release_date": "2024-11-21T21:15:06+00:00", "generator": { "date": "2024-11-21T21:15:06+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:1045", "initial_release_date": "2023-03-01T21:45:17+00:00", "revision_history": [ { "date": "2023-03-01T21:45:17+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-03-01T21:45:17+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:06+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.6 for RHEL 9", "product": { "name": "Red Hat Single Sign-On 7.6 for RHEL 9", "product_id": "9Base-RHSSO-7.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "product": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el9sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "product": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el9sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el9sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9", "product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "relates_to_product_reference": "9Base-RHSSO-7.6" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 9", "product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src" }, "product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "relates_to_product_reference": "9Base-RHSSO-7.6" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 9", "product_id": "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "relates_to_product_reference": "9Base-RHSSO-7.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2021-35065", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156324" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "glob-parent: Regular Expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-35065" }, { "category": "external", "summary": "RHBZ#2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35065" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065" }, { "category": "external", "summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294", "url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294" } ], "release_date": "2022-12-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "glob-parent: Regular Expression Denial of Service" }, { "cve": "CVE-2021-44906", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-03-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2066009" } ], "notes": [ { "category": "description", "text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "minimist: prototype pollution", "title": "Vulnerability summary" }, { "category": "other", "text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44906" }, { "category": "external", "summary": "RHBZ#2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" } ], "release_date": "2022-03-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "minimist: prototype pollution" }, { "acknowledgments": [ { "names": [ "Marcus Nilsson" ], "organization": "usd AG" } ], "cve": "CVE-2022-1274", "cwe": { "id": "CWE-80", "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" }, "discovery_date": "2022-04-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2073157" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: HTML injection in execute-actions-email Admin REST API", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1274" }, { "category": "external", "summary": "RHBZ#2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1274" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725" } ], "release_date": "2023-02-28T18:57:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: HTML injection in execute-actions-email Admin REST API" }, { "acknowledgments": [ { "names": [ "Grzegorz Tworek" ], "organization": "SISOFT s.c." } ], "cve": "CVE-2022-1438", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031904" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: XSS on impersonation under specific circumstances", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1438" }, { "category": "external", "summary": "RHBZ#2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1438" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438" } ], "release_date": "2023-02-28T18:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: XSS on impersonation under specific circumstances" }, { "cve": "CVE-2022-1471", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-12-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2150009" } ], "notes": [ { "category": "description", "text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", "title": "Vulnerability description" }, { "category": "summary", "text": "SnakeYaml: Constructor Deserialization Remote Code Execution", "title": "Vulnerability summary" }, { "category": "other", "text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1471" }, { "category": "external", "summary": "RHBZ#2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471" }, { "category": "external", "summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2" } ], "release_date": "2022-10-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "SnakeYaml: Constructor Deserialization Remote Code Execution" }, { "cve": "CVE-2022-2764", "discovery_date": "2022-08-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2117506" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2764" }, { "category": "external", "summary": "RHBZ#2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2764" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764" } ], "release_date": "2022-08-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations" }, { "acknowledgments": [ { "names": [ "Peter Flintholm" ], "organization": "Trifork" } ], "cve": "CVE-2022-3916", "cwe": { "id": "CWE-384", "name": "Session Fixation" }, "discovery_date": "2022-11-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2141404" } ], "notes": [ { "category": "description", "text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Session takeover with OIDC offline refreshtokens", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3916" }, { "category": "external", "summary": "RHBZ#2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3916" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916" } ], "release_date": "2022-11-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Session takeover with OIDC offline refreshtokens" }, { "cve": "CVE-2022-4137", "cwe": { "id": "CWE-81", "name": "Improper Neutralization of Script in an Error Message Web Page" }, "discovery_date": "2022-11-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2148496" } ], "notes": [ { "category": "description", "text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: reflected XSS attack", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-4137" }, { "category": "external", "summary": "RHBZ#2148496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137" } ], "release_date": "2023-03-01T13:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "keycloak: reflected XSS attack" }, { "cve": "CVE-2022-24785", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-04-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2072009" } ], "notes": [ { "category": "description", "text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "Moment.js: Path traversal in moment.locale", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24785" }, { "category": "external", "summary": "RHBZ#2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4" } ], "release_date": "2022-04-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" }, { "category": "workaround", "details": "Sanitize the user-provided locale name before passing it to Moment.js.", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Moment.js: Path traversal in moment.locale" }, { "cve": "CVE-2022-25857", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-09-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126789" } ], "notes": [ { "category": "description", "text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections", "title": "Vulnerability summary" }, { "category": "other", "text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-25857" }, { "category": "external", "summary": "RHBZ#2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "category": "external", "summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525" } ], "release_date": "2022-08-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections" }, { "cve": "CVE-2022-31129", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-07-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2105075" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "moment: inefficient parsing algorithm resulting in DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-31129" }, { "category": "external", "summary": "RHBZ#2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129", "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g" } ], "release_date": "2022-07-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "moment: inefficient parsing algorithm resulting in DoS" }, { "cve": "CVE-2022-37603", "cwe": { "id": "CWE-185", "name": "Incorrect Regular Expression" }, "discovery_date": "2022-11-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2140597" } ], "notes": [ { "category": "description", "text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.", "title": "Vulnerability description" }, { "category": "summary", "text": "loader-utils: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-37603" }, { "category": "external", "summary": "RHBZ#2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37603" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603" } ], "release_date": "2022-10-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "loader-utils: Regular expression denial of service" }, { "cve": "CVE-2022-38749", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129706" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38749" }, { "category": "external", "summary": "RHBZ#2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode" }, { "cve": "CVE-2022-38750", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129707" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38750" }, { "category": "external", "summary": "RHBZ#2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject" }, { "cve": "CVE-2022-38751", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129709" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38751" }, { "category": "external", "summary": "RHBZ#2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46175", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156263" } ], "notes": [ { "category": "description", "text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.", "title": "Vulnerability description" }, { "category": "summary", "text": "json5: Prototype Pollution in JSON5 via Parse Method", "title": "Vulnerability summary" }, { "category": "other", "text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46175" }, { "category": "external", "summary": "RHBZ#2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46175" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175" }, { "category": "external", "summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", "url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h" } ], "release_date": "2022-12-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "json5: Prototype Pollution in JSON5 via Parse Method" }, { "cve": "CVE-2022-46363", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155681" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: directory listing / code exfiltration", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46363" }, { "category": "external", "summary": "RHBZ#2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363" }, { "category": "external", "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CXF: directory listing / code exfiltration" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "CXF: SSRF Vulnerability" }, { "acknowledgments": [ { "names": [ "Sourav Kumar" ], "organization": "https://github.com/souravs17031999", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0091", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-10-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2158585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Client Registration endpoint does not check token revocation", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0091" }, { "category": "external", "summary": "RHBZ#2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0091" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg" }, { "category": "external", "summary": "https://github.com/keycloak/security/issues/27", "url": "https://github.com/keycloak/security/issues/27" } ], "release_date": "2022-10-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "keycloak: Client Registration endpoint does not check token revocation" }, { "acknowledgments": [ { "names": [ "Jordi Zayuelas i Mu\u00f1oz" ], "organization": "A1 Digital", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0264", "cwe": { "id": "CWE-303", "name": "Incorrect Implementation of Authentication Algorithm" }, "discovery_date": "2023-01-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2160585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: user impersonation via stolen uuid code", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0264" }, { "category": "external", "summary": "RHBZ#2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0264" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264" } ], "release_date": "2023-02-28T18:58:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1045" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.noarch", "9Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso.src", "9Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el9sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: user impersonation via stolen uuid code" } ] }
rhsa-2023_1044
Vulnerability from csaf_redhat
Published
2023-03-01 21:45
Modified
2024-11-21 21:15
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:1044", "url": "https://access.redhat.com/errata/RHSA-2023:1044" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2148496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496" }, { "category": "external", "summary": "2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1044.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8", "tracking": { "current_release_date": "2024-11-21T21:15:18+00:00", "generator": { "date": "2024-11-21T21:15:18+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:1044", "initial_release_date": "2023-03-01T21:45:12+00:00", "revision_history": [ { "date": "2023-03-01T21:45:12+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-03-01T21:45:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:18+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.6 for RHEL 8", "product": { "name": "Red Hat Single Sign-On 7.6 for RHEL 8", "product_id": "8Base-RHSSO-7.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "product": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el8sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el8sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el8sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8", "product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.6" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 8", "product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src" }, "product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "relates_to_product_reference": "8Base-RHSSO-7.6" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 8", "product_id": "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "relates_to_product_reference": "8Base-RHSSO-7.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2021-35065", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156324" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "glob-parent: Regular Expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-35065" }, { "category": "external", "summary": "RHBZ#2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35065" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065" }, { "category": "external", "summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294", "url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294" } ], "release_date": "2022-12-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "glob-parent: Regular Expression Denial of Service" }, { "cve": "CVE-2021-44906", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-03-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2066009" } ], "notes": [ { "category": "description", "text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "minimist: prototype pollution", "title": "Vulnerability summary" }, { "category": "other", "text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44906" }, { "category": "external", "summary": "RHBZ#2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" } ], "release_date": "2022-03-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "minimist: prototype pollution" }, { "acknowledgments": [ { "names": [ "Marcus Nilsson" ], "organization": "usd AG" } ], "cve": "CVE-2022-1274", "cwe": { "id": "CWE-80", "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" }, "discovery_date": "2022-04-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2073157" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: HTML injection in execute-actions-email Admin REST API", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1274" }, { "category": "external", "summary": "RHBZ#2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1274" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725" } ], "release_date": "2023-02-28T18:57:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: HTML injection in execute-actions-email Admin REST API" }, { "acknowledgments": [ { "names": [ "Grzegorz Tworek" ], "organization": "SISOFT s.c." } ], "cve": "CVE-2022-1438", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031904" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: XSS on impersonation under specific circumstances", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1438" }, { "category": "external", "summary": "RHBZ#2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1438" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438" } ], "release_date": "2023-02-28T18:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: XSS on impersonation under specific circumstances" }, { "cve": "CVE-2022-1471", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-12-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2150009" } ], "notes": [ { "category": "description", "text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", "title": "Vulnerability description" }, { "category": "summary", "text": "SnakeYaml: Constructor Deserialization Remote Code Execution", "title": "Vulnerability summary" }, { "category": "other", "text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1471" }, { "category": "external", "summary": "RHBZ#2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471" }, { "category": "external", "summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2" } ], "release_date": "2022-10-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "SnakeYaml: Constructor Deserialization Remote Code Execution" }, { "cve": "CVE-2022-2764", "discovery_date": "2022-08-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2117506" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2764" }, { "category": "external", "summary": "RHBZ#2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2764" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764" } ], "release_date": "2022-08-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations" }, { "acknowledgments": [ { "names": [ "Peter Flintholm" ], "organization": "Trifork" } ], "cve": "CVE-2022-3916", "cwe": { "id": "CWE-384", "name": "Session Fixation" }, "discovery_date": "2022-11-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2141404" } ], "notes": [ { "category": "description", "text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Session takeover with OIDC offline refreshtokens", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3916" }, { "category": "external", "summary": "RHBZ#2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3916" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916" } ], "release_date": "2022-11-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Session takeover with OIDC offline refreshtokens" }, { "cve": "CVE-2022-4137", "cwe": { "id": "CWE-81", "name": "Improper Neutralization of Script in an Error Message Web Page" }, "discovery_date": "2022-11-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2148496" } ], "notes": [ { "category": "description", "text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: reflected XSS attack", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-4137" }, { "category": "external", "summary": "RHBZ#2148496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137" } ], "release_date": "2023-03-01T13:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "keycloak: reflected XSS attack" }, { "cve": "CVE-2022-24785", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-04-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2072009" } ], "notes": [ { "category": "description", "text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "Moment.js: Path traversal in moment.locale", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24785" }, { "category": "external", "summary": "RHBZ#2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4" } ], "release_date": "2022-04-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" }, { "category": "workaround", "details": "Sanitize the user-provided locale name before passing it to Moment.js.", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Moment.js: Path traversal in moment.locale" }, { "cve": "CVE-2022-25857", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-09-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126789" } ], "notes": [ { "category": "description", "text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections", "title": "Vulnerability summary" }, { "category": "other", "text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-25857" }, { "category": "external", "summary": "RHBZ#2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "category": "external", "summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525" } ], "release_date": "2022-08-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections" }, { "cve": "CVE-2022-31129", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-07-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2105075" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "moment: inefficient parsing algorithm resulting in DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-31129" }, { "category": "external", "summary": "RHBZ#2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129", "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g" } ], "release_date": "2022-07-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "moment: inefficient parsing algorithm resulting in DoS" }, { "cve": "CVE-2022-37603", "cwe": { "id": "CWE-185", "name": "Incorrect Regular Expression" }, "discovery_date": "2022-11-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2140597" } ], "notes": [ { "category": "description", "text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.", "title": "Vulnerability description" }, { "category": "summary", "text": "loader-utils: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-37603" }, { "category": "external", "summary": "RHBZ#2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37603" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603" } ], "release_date": "2022-10-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "loader-utils: Regular expression denial of service" }, { "cve": "CVE-2022-38749", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129706" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38749" }, { "category": "external", "summary": "RHBZ#2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode" }, { "cve": "CVE-2022-38750", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129707" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38750" }, { "category": "external", "summary": "RHBZ#2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject" }, { "cve": "CVE-2022-38751", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129709" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38751" }, { "category": "external", "summary": "RHBZ#2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46175", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156263" } ], "notes": [ { "category": "description", "text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.", "title": "Vulnerability description" }, { "category": "summary", "text": "json5: Prototype Pollution in JSON5 via Parse Method", "title": "Vulnerability summary" }, { "category": "other", "text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46175" }, { "category": "external", "summary": "RHBZ#2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46175" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175" }, { "category": "external", "summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", "url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h" } ], "release_date": "2022-12-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "json5: Prototype Pollution in JSON5 via Parse Method" }, { "cve": "CVE-2022-46363", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155681" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: directory listing / code exfiltration", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46363" }, { "category": "external", "summary": "RHBZ#2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363" }, { "category": "external", "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CXF: directory listing / code exfiltration" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "CXF: SSRF Vulnerability" }, { "acknowledgments": [ { "names": [ "Sourav Kumar" ], "organization": "https://github.com/souravs17031999", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0091", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-10-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2158585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Client Registration endpoint does not check token revocation", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0091" }, { "category": "external", "summary": "RHBZ#2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0091" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg" }, { "category": "external", "summary": "https://github.com/keycloak/security/issues/27", "url": "https://github.com/keycloak/security/issues/27" } ], "release_date": "2022-10-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "keycloak: Client Registration endpoint does not check token revocation" }, { "acknowledgments": [ { "names": [ "Jordi Zayuelas i Mu\u00f1oz" ], "organization": "A1 Digital", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0264", "cwe": { "id": "CWE-303", "name": "Incorrect Implementation of Authentication Algorithm" }, "discovery_date": "2023-01-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2160585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: user impersonation via stolen uuid code", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0264" }, { "category": "external", "summary": "RHBZ#2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0264" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264" } ], "release_date": "2023-02-28T18:58:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:45:12+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1044" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.noarch", "8Base-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso.src", "8Base-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el8sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: user impersonation via stolen uuid code" } ] }
rhsa-2023_1047
Vulnerability from csaf_redhat
Published
2023-03-01 21:46
Modified
2024-11-21 21:15
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update
Notes
Topic
A new image is available for Red Hat Single Sign-On 7.6.2, running on Red
Hat OpenShift Container Platform from the release of 3.11 up to the release
of 4.12.0.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On is an integrated sign-on solution, available as a
Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat
Single Sign-On for OpenShift image provides an authentication server that
you can use to log in centrally, log out, and register. You can also manage
user accounts for web applications, mobile applications, and RESTful web
services.
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
This erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use
within the Red Hat OpenShift Container Platform (from the release of 3.11
up to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)
for on-premise or private cloud deployments, aligning with the standalone
product release.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A new image is available for Red Hat Single Sign-On 7.6.2, running on Red\nHat OpenShift Container Platform from the release of 3.11 up to the release\nof 4.12.0.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On is an integrated sign-on solution, available as a\nRed Hat JBoss Middleware for OpenShift containerized image. The Red Hat\nSingle Sign-On for OpenShift image provides an authentication server that\nyou can use to log in centrally, log out, and register. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices.\n\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* RH-SSO for OpenShift images: unsecured management interface exposed to adjacent network (CVE-2022-4039)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: XSS on izmpersonation under specific circumstances (CVE-2022-1438)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.6.2 for use\nwithin the Red Hat OpenShift Container Platform (from the release of 3.11\nup to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS)\nfor on-premise or private cloud deployments, aligning with the standalone\nproduct release.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:1047", "url": "https://access.redhat.com/errata/RHSA-2023:1047" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "2143416", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1047.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update", "tracking": { "current_release_date": "2024-11-21T21:15:52+00:00", "generator": { "date": "2024-11-21T21:15:52+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:1047", "initial_release_date": "2023-03-01T21:46:46+00:00", "revision_history": [ { "date": "2023-03-01T21:46:46+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-03-01T21:46:46+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:52+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Middleware Containers for OpenShift", "product": { "name": "Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware", "product_identification_helper": { "cpe": "cpe:/a:redhat:rhosemc:1.0::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift Enterprise" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x", "product": { "name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x", "product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x", "product_identification_helper": { "purl": "pkg:oci/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21?arch=s390x\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "product": { "name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "product_identification_helper": { "purl": "pkg:oci/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60?arch=ppc64le\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "product": { "name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "product_id": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "product_identification_helper": { "purl": "pkg:oci/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f?arch=amd64\u0026repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8\u0026tag=7.6-20" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le" }, "product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64 as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64" }, "product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "relates_to_product_reference": "8Base-RHOSE-Middleware" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x as a component of Middleware Containers for OpenShift", "product_id": "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" }, "product_reference": "rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x", "relates_to_product_reference": "8Base-RHOSE-Middleware" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2021-35065", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156324" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "glob-parent: Regular Expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-35065" }, { "category": "external", "summary": "RHBZ#2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35065" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065" }, { "category": "external", "summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294", "url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294" } ], "release_date": "2022-12-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "glob-parent: Regular Expression Denial of Service" }, { "cve": "CVE-2021-44906", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-03-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2066009" } ], "notes": [ { "category": "description", "text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "minimist: prototype pollution", "title": "Vulnerability summary" }, { "category": "other", "text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44906" }, { "category": "external", "summary": "RHBZ#2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" } ], "release_date": "2022-03-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "minimist: prototype pollution" }, { "acknowledgments": [ { "names": [ "Marcus Nilsson" ], "organization": "usd AG" } ], "cve": "CVE-2022-1274", "cwe": { "id": "CWE-80", "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" }, "discovery_date": "2022-04-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2073157" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: HTML injection in execute-actions-email Admin REST API", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1274" }, { "category": "external", "summary": "RHBZ#2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1274" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725" } ], "release_date": "2023-02-28T18:57:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: HTML injection in execute-actions-email Admin REST API" }, { "acknowledgments": [ { "names": [ "Grzegorz Tworek" ], "organization": "SISOFT s.c." } ], "cve": "CVE-2022-1438", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031904" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: XSS on impersonation under specific circumstances", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1438" }, { "category": "external", "summary": "RHBZ#2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1438" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438" } ], "release_date": "2023-02-28T18:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: XSS on impersonation under specific circumstances" }, { "cve": "CVE-2022-1471", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-12-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2150009" } ], "notes": [ { "category": "description", "text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", "title": "Vulnerability description" }, { "category": "summary", "text": "SnakeYaml: Constructor Deserialization Remote Code Execution", "title": "Vulnerability summary" }, { "category": "other", "text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1471" }, { "category": "external", "summary": "RHBZ#2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471" }, { "category": "external", "summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2" } ], "release_date": "2022-10-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "SnakeYaml: Constructor Deserialization Remote Code Execution" }, { "cve": "CVE-2022-2764", "discovery_date": "2022-08-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2117506" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2764" }, { "category": "external", "summary": "RHBZ#2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2764" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764" } ], "release_date": "2022-08-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations" }, { "cve": "CVE-2022-3782", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-10-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2138971" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: path traversal via double URL encoding", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3782" }, { "category": "external", "summary": "RHBZ#2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3782" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782" } ], "release_date": "2022-12-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "keycloak: path traversal via double URL encoding" }, { "acknowledgments": [ { "names": [ "Peter Flintholm" ], "organization": "Trifork" } ], "cve": "CVE-2022-3916", "cwe": { "id": "CWE-384", "name": "Session Fixation" }, "discovery_date": "2022-11-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2141404" } ], "notes": [ { "category": "description", "text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Session takeover with OIDC offline refreshtokens", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3916" }, { "category": "external", "summary": "RHBZ#2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3916" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916" } ], "release_date": "2022-11-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Session takeover with OIDC offline refreshtokens" }, { "acknowledgments": [ { "names": [ "Thibault Guittet" ], "organization": "Red Hat", "summary": "This issue was discovered by Red Hat." } ], "cve": "CVE-2022-4039", "cwe": { "id": "CWE-276", "name": "Incorrect Default Permissions" }, "discovery_date": "2022-11-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2143416" } ], "notes": [ { "category": "description", "text": "A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.", "title": "Vulnerability description" }, { "category": "summary", "text": "rhsso-container-image: unsecured management interface exposed to adjecent network", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-4039" }, { "category": "external", "summary": "RHBZ#2143416", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2143416" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4039", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4039" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4039", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4039" } ], "release_date": "2023-02-28T21:26:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "rhsso-container-image: unsecured management interface exposed to adjecent network" }, { "cve": "CVE-2022-24785", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-04-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2072009" } ], "notes": [ { "category": "description", "text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "Moment.js: Path traversal in moment.locale", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24785" }, { "category": "external", "summary": "RHBZ#2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4" } ], "release_date": "2022-04-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" }, { "category": "workaround", "details": "Sanitize the user-provided locale name before passing it to Moment.js.", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Moment.js: Path traversal in moment.locale" }, { "cve": "CVE-2022-25857", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-09-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126789" } ], "notes": [ { "category": "description", "text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections", "title": "Vulnerability summary" }, { "category": "other", "text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-25857" }, { "category": "external", "summary": "RHBZ#2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "category": "external", "summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525" } ], "release_date": "2022-08-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections" }, { "cve": "CVE-2022-31129", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-07-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2105075" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "moment: inefficient parsing algorithm resulting in DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-31129" }, { "category": "external", "summary": "RHBZ#2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129", "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g" } ], "release_date": "2022-07-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "moment: inefficient parsing algorithm resulting in DoS" }, { "cve": "CVE-2022-37603", "cwe": { "id": "CWE-185", "name": "Incorrect Regular Expression" }, "discovery_date": "2022-11-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2140597" } ], "notes": [ { "category": "description", "text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.", "title": "Vulnerability description" }, { "category": "summary", "text": "loader-utils: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-37603" }, { "category": "external", "summary": "RHBZ#2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37603" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603" } ], "release_date": "2022-10-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "loader-utils: Regular expression denial of service" }, { "cve": "CVE-2022-38749", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129706" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38749" }, { "category": "external", "summary": "RHBZ#2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode" }, { "cve": "CVE-2022-38750", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129707" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38750" }, { "category": "external", "summary": "RHBZ#2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject" }, { "cve": "CVE-2022-38751", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129709" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38751" }, { "category": "external", "summary": "RHBZ#2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46175", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156263" } ], "notes": [ { "category": "description", "text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.", "title": "Vulnerability description" }, { "category": "summary", "text": "json5: Prototype Pollution in JSON5 via Parse Method", "title": "Vulnerability summary" }, { "category": "other", "text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46175" }, { "category": "external", "summary": "RHBZ#2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46175" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175" }, { "category": "external", "summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", "url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h" } ], "release_date": "2022-12-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "json5: Prototype Pollution in JSON5 via Parse Method" }, { "cve": "CVE-2022-46363", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155681" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: directory listing / code exfiltration", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46363" }, { "category": "external", "summary": "RHBZ#2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363" }, { "category": "external", "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CXF: directory listing / code exfiltration" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" }, { "acknowledgments": [ { "names": [ "Sourav Kumar" ], "organization": "https://github.com/souravs17031999", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0091", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-10-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2158585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Client Registration endpoint does not check token revocation", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0091" }, { "category": "external", "summary": "RHBZ#2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0091" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg" }, { "category": "external", "summary": "https://github.com/keycloak/security/issues/27", "url": "https://github.com/keycloak/security/issues/27" } ], "release_date": "2022-10-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "keycloak: Client Registration endpoint does not check token revocation" }, { "acknowledgments": [ { "names": [ "Jordi Zayuelas i Mu\u00f1oz" ], "organization": "A1 Digital", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0264", "cwe": { "id": "CWE-303", "name": "Incorrect Implementation of Authentication Algorithm" }, "discovery_date": "2023-01-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2160585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: user impersonation via stolen uuid code", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0264" }, { "category": "external", "summary": "RHBZ#2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0264" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264" } ], "release_date": "2023-02-28T18:58:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:46:46+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1047" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:10450cf7e28d9b1628e95867562763019181a9a980e6e465fe69faf056a1cb60_ppc64le", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:19520720c6ff7acbfb4c8b1bc0d9353c2205bb640405f1d08f70ee14061f190f_amd64", "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:77e19865fa9031305daa8c9872eb273c6442748a9cd3d6628309721fbf781c21_s390x" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: user impersonation via stolen uuid code" } ] }
rhsa-2023_0553
Vulnerability from csaf_redhat
Published
2023-01-31 13:12
Modified
2024-11-15 13:21
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
(CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
(CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
(CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator
(CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
(CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute\n(CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM\nmanipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n(CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy\n(CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability\n(CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of\nService attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute\n(CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator\n(CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n(CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data\n(CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0553", "url": "https://access.redhat.com/errata/RHSA-2023:0553" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "1399546", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546" }, { "category": "external", "summary": "1553413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1668097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097" }, { "category": "external", "summary": "1686454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "2124682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682" }, { "category": "external", "summary": "2134291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "JBEAP-23864", "url": "https://issues.redhat.com/browse/JBEAP-23864" }, { "category": "external", "summary": "JBEAP-23865", "url": "https://issues.redhat.com/browse/JBEAP-23865" }, { "category": "external", "summary": "JBEAP-23866", "url": "https://issues.redhat.com/browse/JBEAP-23866" }, { "category": "external", "summary": "JBEAP-23927", "url": "https://issues.redhat.com/browse/JBEAP-23927" }, { "category": "external", "summary": "JBEAP-24055", "url": "https://issues.redhat.com/browse/JBEAP-24055" }, { "category": "external", "summary": "JBEAP-24081", "url": "https://issues.redhat.com/browse/JBEAP-24081" }, { "category": "external", "summary": "JBEAP-24095", "url": "https://issues.redhat.com/browse/JBEAP-24095" }, { "category": "external", "summary": "JBEAP-24100", "url": "https://issues.redhat.com/browse/JBEAP-24100" }, { "category": "external", "summary": "JBEAP-24127", "url": "https://issues.redhat.com/browse/JBEAP-24127" }, { "category": "external", "summary": "JBEAP-24128", "url": "https://issues.redhat.com/browse/JBEAP-24128" }, { "category": "external", "summary": "JBEAP-24132", "url": "https://issues.redhat.com/browse/JBEAP-24132" }, { "category": "external", "summary": "JBEAP-24147", "url": "https://issues.redhat.com/browse/JBEAP-24147" }, { "category": "external", "summary": "JBEAP-24167", "url": "https://issues.redhat.com/browse/JBEAP-24167" }, { "category": "external", "summary": "JBEAP-24191", "url": "https://issues.redhat.com/browse/JBEAP-24191" }, { "category": "external", "summary": "JBEAP-24195", "url": "https://issues.redhat.com/browse/JBEAP-24195" }, { "category": "external", "summary": "JBEAP-24207", "url": "https://issues.redhat.com/browse/JBEAP-24207" }, { "category": "external", "summary": "JBEAP-24248", "url": "https://issues.redhat.com/browse/JBEAP-24248" }, { "category": "external", "summary": "JBEAP-24426", "url": "https://issues.redhat.com/browse/JBEAP-24426" }, { "category": "external", "summary": "JBEAP-24427", "url": "https://issues.redhat.com/browse/JBEAP-24427" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0553.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update", "tracking": { "current_release_date": "2024-11-15T13:21:52+00:00", "generator": { "date": "2024-11-15T13:21:52+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:0553", "initial_release_date": "2023-01-31T13:12:13+00:00", "revision_history": [ { "date": "2023-01-31T13:12:13+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-01-31T13:12:13+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T13:21:52+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src", "product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "product": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "product": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "product": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "product": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "product": { "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "product": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "product": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "product": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "product": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "product": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "product": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el8eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "product": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el8eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "product": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el8eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src" }, "product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src" }, "product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src" }, "product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src" }, "product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src" }, "product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src" }, "product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src" }, "product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch" }, "product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" }, "product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src" }, "product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch" }, "product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "relates_to_product_reference": "8Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8", "product_id": "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" }, "product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src", "relates_to_product_reference": "8Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2015-9251", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2016-11-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1399546" } ], "notes": [ { "category": "description", "text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting via cross-domain ajax requests", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2015-9251" }, { "category": "external", "summary": "RHBZ#1399546", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251", "url": "https://www.cve.org/CVERecord?id=CVE-2015-9251" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251" } ], "release_date": "2015-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting via cross-domain ajax requests" }, { "cve": "CVE-2016-10735", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-01-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1668097" } ], "notes": [ { "category": "description", "text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: XSS in the data-target attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-10735" }, { "category": "external", "summary": "RHBZ#1668097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735", "url": "https://www.cve.org/CVERecord?id=CVE-2016-10735" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735" } ], "release_date": "2016-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: XSS in the data-target attribute" }, { "cve": "CVE-2017-18214", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2018-03-08T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1553413" } ], "notes": [ { "category": "description", "text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-moment: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-18214" }, { "category": "external", "summary": "RHBZ#1553413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214", "url": "https://www.cve.org/CVERecord?id=CVE-2017-18214" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214" } ], "release_date": "2017-09-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-moment: Regular expression denial of service" }, { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14041", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601616" } ], "notes": [ { "category": "description", "text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14041" }, { "category": "external", "summary": "RHBZ#1601616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14041" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-8331", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-02-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1686454" } ], "notes": [ { "category": "description", "text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: XSS in the tooltip or popover data-template attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-8331" }, { "category": "external", "summary": "RHBZ#1686454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331", "url": "https://www.cve.org/CVERecord?id=CVE-2019-8331" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331" } ], "release_date": "2019-02-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: XSS in the tooltip or popover data-template attribute" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2022-3143", "cwe": { "id": "CWE-208", "name": "Observable Timing Discrepancy" }, "discovery_date": "2022-09-06T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2124682" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-elytron: possible timing attacks via use of unsafe comparator", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3143" }, { "category": "external", "summary": "RHBZ#2124682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3143" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143" } ], "release_date": "2022-09-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "wildfly-elytron: possible timing attacks via use of unsafe comparator" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-40152", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2134291" } ], "notes": [ { "category": "description", "text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", "title": "Vulnerability description" }, { "category": "summary", "text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40152" }, { "category": "external", "summary": "RHBZ#2134291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40152" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", "url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4" } ], "release_date": "2022-09-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ], "known_not_affected": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:12:13+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0553" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el8eap.src", "8Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el8eap.src", "8Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.noarch", "8Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el8eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" } ] }
rhsa-2023_0544
Vulnerability from csaf_redhat
Published
2023-01-30 17:12
Modified
2024-11-06 02:21
Summary
Red Hat Security Advisory: Red Hat Camel for Spring Boot 3.14.5 Patch 1 release and security update
Notes
Topic
A patch is now available for Camel for Spring Boot 3.14.5. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This patch, Camel for Spring Boot 3.14.5 Patch 1, serves as a replacement for the previous release of Camel for Spring Boot 3.14.5 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. This release of Camel for Spring Boot includes CXF artifacts that were missing from the previous 3.14.5 release.
Security Fix(es):
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: If the value in map is the map's self, the new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A patch is now available for Camel for Spring Boot 3.14.5. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "This patch, Camel for Spring Boot 3.14.5 Patch 1, serves as a replacement for the previous release of Camel for Spring Boot 3.14.5 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. This release of Camel for Spring Boot includes CXF artifacts that were missing from the previous 3.14.5 release.\n\nSecurity Fix(es):\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: If the value in map is the map\u0027s self, the new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0544", "url": "https://access.redhat.com/errata/RHSA-2023:0544" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q1", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q1" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0544.json" } ], "title": "Red Hat Security Advisory: Red Hat Camel for Spring Boot 3.14.5 Patch 1 release and security update", "tracking": { "current_release_date": "2024-11-06T02:21:22+00:00", "generator": { "date": "2024-11-06T02:21:22+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2023:0544", "initial_release_date": "2023-01-30T17:12:00+00:00", "revision_history": [ { "date": "2023-01-30T17:12:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-01-30T17:12:00+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T02:21:22+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHINT Camel-Springboot 3.14.5.P1", "product": { "name": "RHINT Camel-Springboot 3.14.5.P1", "product_id": "RHINT Camel-Springboot 3.14.5.P1", "product_identification_helper": { "cpe": "cpe:/a:redhat:camel_spring_boot:3.14.5" } } } ], "category": "product_family", "name": "Red Hat Integration" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHINT Camel-Springboot 3.14.5.P1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-30T17:12:00+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nInstallation instructions are available from the Camel for Spring Boot 3.14.5 product documentation page.\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1/html/getting_started_with_camel_spring_boot/index\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1/html/camel_spring_boot_reference/index", "product_ids": [ "RHINT Camel-Springboot 3.14.5.P1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0544" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHINT Camel-Springboot 3.14.5.P1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHINT Camel-Springboot 3.14.5.P1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-30T17:12:00+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nInstallation instructions are available from the Camel for Spring Boot 3.14.5 product documentation page.\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1/html/getting_started_with_camel_spring_boot/index\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1/html/camel_spring_boot_reference/index", "product_ids": [ "RHINT Camel-Springboot 3.14.5.P1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0544" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHINT Camel-Springboot 3.14.5.P1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46363", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155681" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: directory listing / code exfiltration", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHINT Camel-Springboot 3.14.5.P1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46363" }, { "category": "external", "summary": "RHBZ#2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363" }, { "category": "external", "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-30T17:12:00+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nInstallation instructions are available from the Camel for Spring Boot 3.14.5 product documentation page.\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1/html/getting_started_with_camel_spring_boot/index\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1/html/camel_spring_boot_reference/index", "product_ids": [ "RHINT Camel-Springboot 3.14.5.P1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0544" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "RHINT Camel-Springboot 3.14.5.P1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CXF: directory listing / code exfiltration" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHINT Camel-Springboot 3.14.5.P1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-30T17:12:00+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nInstallation instructions are available from the Camel for Spring Boot 3.14.5 product documentation page.\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1/html/getting_started_with_camel_spring_boot/index\n\nhttps://access.redhat.com/documentation/en-us/red_hat_integration/2023.q1/html/camel_spring_boot_reference/index", "product_ids": [ "RHINT Camel-Springboot 3.14.5.P1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0544" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHINT Camel-Springboot 3.14.5.P1" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" } ] }
rhsa-2023_1049
Vulnerability from csaf_redhat
Published
2023-03-01 21:58
Modified
2024-11-21 21:15
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update
Notes
Topic
A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO (CVE-2022-2237)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO (CVE-2022-2237)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:1049", "url": "https://access.redhat.com/errata/RHSA-2023:1049" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "2097007", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007" }, { "category": "external", "summary": "2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2148496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496" }, { "category": "external", "summary": "2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1049.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update", "tracking": { "current_release_date": "2024-11-21T21:15:42+00:00", "generator": { "date": "2024-11-21T21:15:42+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:1049", "initial_release_date": "2023-03-01T21:58:17+00:00", "revision_history": [ { "date": "2023-03-01T21:58:17+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-03-01T21:58:17+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:42+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7", "product": { "name": "Red Hat Single Sign-On 7", "product_id": "Red Hat Single Sign-On 7", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2021-35065", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156324" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "glob-parent: Regular Expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-35065" }, { "category": "external", "summary": "RHBZ#2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35065" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065" }, { "category": "external", "summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294", "url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294" } ], "release_date": "2022-12-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "glob-parent: Regular Expression Denial of Service" }, { "cve": "CVE-2021-44906", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-03-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2066009" } ], "notes": [ { "category": "description", "text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "minimist: prototype pollution", "title": "Vulnerability summary" }, { "category": "other", "text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44906" }, { "category": "external", "summary": "RHBZ#2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" } ], "release_date": "2022-03-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "minimist: prototype pollution" }, { "acknowledgments": [ { "names": [ "Marcus Nilsson" ], "organization": "usd AG" } ], "cve": "CVE-2022-1274", "cwe": { "id": "CWE-80", "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" }, "discovery_date": "2022-04-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2073157" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: HTML injection in execute-actions-email Admin REST API", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1274" }, { "category": "external", "summary": "RHBZ#2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1274" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725" } ], "release_date": "2023-02-28T18:57:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: HTML injection in execute-actions-email Admin REST API" }, { "acknowledgments": [ { "names": [ "Grzegorz Tworek" ], "organization": "SISOFT s.c." } ], "cve": "CVE-2022-1438", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031904" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: XSS on impersonation under specific circumstances", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1438" }, { "category": "external", "summary": "RHBZ#2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1438" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438" } ], "release_date": "2023-02-28T18:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: XSS on impersonation under specific circumstances" }, { "cve": "CVE-2022-1471", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-12-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2150009" } ], "notes": [ { "category": "description", "text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", "title": "Vulnerability description" }, { "category": "summary", "text": "SnakeYaml: Constructor Deserialization Remote Code Execution", "title": "Vulnerability summary" }, { "category": "other", "text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1471" }, { "category": "external", "summary": "RHBZ#2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471" }, { "category": "external", "summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2" } ], "release_date": "2022-10-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "SnakeYaml: Constructor Deserialization Remote Code Execution" }, { "acknowledgments": [ { "names": [ "Ayta\u00e7 Kal\u0131nc\u0131", "Ilker Bulgurcu", "Yasin Y\u0131lmaz" ], "organization": "NETA\u015e PENTEST TEAM" } ], "cve": "CVE-2022-2237", "cwe": { "id": "CWE-601", "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)" }, "discovery_date": "2022-06-08T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2097007" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.", "title": "Vulnerability description" }, { "category": "summary", "text": "Adapter: Open redirect vulnerability in checkSSO", "title": "Vulnerability summary" }, { "category": "other", "text": "CodeReady Studio is no longer supported. Therefore, this flaw will not be addressed in CodeReady Studio. Please see https://developers.redhat.com/articles/2022/04/18/announcement-red-hat-codeready-studio-reaches-end-life for more information.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2237" }, { "category": "external", "summary": "RHBZ#2097007", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2097007" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2237", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2237" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2237", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2237" } ], "release_date": "2023-03-01T13:57:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Adapter: Open redirect vulnerability in checkSSO" }, { "cve": "CVE-2022-2764", "discovery_date": "2022-08-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2117506" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2764" }, { "category": "external", "summary": "RHBZ#2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2764" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764" } ], "release_date": "2022-08-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations" }, { "cve": "CVE-2022-3782", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-10-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2138971" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: path traversal via double URL encoding", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3782" }, { "category": "external", "summary": "RHBZ#2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3782" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782" } ], "release_date": "2022-12-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "keycloak: path traversal via double URL encoding" }, { "acknowledgments": [ { "names": [ "Peter Flintholm" ], "organization": "Trifork" } ], "cve": "CVE-2022-3916", "cwe": { "id": "CWE-384", "name": "Session Fixation" }, "discovery_date": "2022-11-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2141404" } ], "notes": [ { "category": "description", "text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Session takeover with OIDC offline refreshtokens", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3916" }, { "category": "external", "summary": "RHBZ#2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3916" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916" } ], "release_date": "2022-11-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Session takeover with OIDC offline refreshtokens" }, { "cve": "CVE-2022-4137", "cwe": { "id": "CWE-81", "name": "Improper Neutralization of Script in an Error Message Web Page" }, "discovery_date": "2022-11-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2148496" } ], "notes": [ { "category": "description", "text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: reflected XSS attack", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-4137" }, { "category": "external", "summary": "RHBZ#2148496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137" } ], "release_date": "2023-03-01T13:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "keycloak: reflected XSS attack" }, { "cve": "CVE-2022-24785", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-04-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2072009" } ], "notes": [ { "category": "description", "text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "Moment.js: Path traversal in moment.locale", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24785" }, { "category": "external", "summary": "RHBZ#2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4" } ], "release_date": "2022-04-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" }, { "category": "workaround", "details": "Sanitize the user-provided locale name before passing it to Moment.js.", "product_ids": [ "Red Hat Single Sign-On 7" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Moment.js: Path traversal in moment.locale" }, { "cve": "CVE-2022-25857", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-09-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126789" } ], "notes": [ { "category": "description", "text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections", "title": "Vulnerability summary" }, { "category": "other", "text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-25857" }, { "category": "external", "summary": "RHBZ#2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "category": "external", "summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525" } ], "release_date": "2022-08-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections" }, { "cve": "CVE-2022-31129", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-07-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2105075" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "moment: inefficient parsing algorithm resulting in DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-31129" }, { "category": "external", "summary": "RHBZ#2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129", "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g" } ], "release_date": "2022-07-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "moment: inefficient parsing algorithm resulting in DoS" }, { "cve": "CVE-2022-37603", "cwe": { "id": "CWE-185", "name": "Incorrect Regular Expression" }, "discovery_date": "2022-11-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2140597" } ], "notes": [ { "category": "description", "text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.", "title": "Vulnerability description" }, { "category": "summary", "text": "loader-utils: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-37603" }, { "category": "external", "summary": "RHBZ#2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37603" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603" } ], "release_date": "2022-10-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "loader-utils: Regular expression denial of service" }, { "cve": "CVE-2022-38749", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129706" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38749" }, { "category": "external", "summary": "RHBZ#2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode" }, { "cve": "CVE-2022-38750", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129707" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38750" }, { "category": "external", "summary": "RHBZ#2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject" }, { "cve": "CVE-2022-38751", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129709" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38751" }, { "category": "external", "summary": "RHBZ#2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "Red Hat Single Sign-On 7" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46175", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156263" } ], "notes": [ { "category": "description", "text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.", "title": "Vulnerability description" }, { "category": "summary", "text": "json5: Prototype Pollution in JSON5 via Parse Method", "title": "Vulnerability summary" }, { "category": "other", "text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46175" }, { "category": "external", "summary": "RHBZ#2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46175" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175" }, { "category": "external", "summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", "url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h" } ], "release_date": "2022-12-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "json5: Prototype Pollution in JSON5 via Parse Method" }, { "cve": "CVE-2022-46363", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155681" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: directory listing / code exfiltration", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46363" }, { "category": "external", "summary": "RHBZ#2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363" }, { "category": "external", "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CXF: directory listing / code exfiltration" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" }, { "acknowledgments": [ { "names": [ "Sourav Kumar" ], "organization": "https://github.com/souravs17031999", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0091", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-10-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2158585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Client Registration endpoint does not check token revocation", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0091" }, { "category": "external", "summary": "RHBZ#2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0091" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg" }, { "category": "external", "summary": "https://github.com/keycloak/security/issues/27", "url": "https://github.com/keycloak/security/issues/27" } ], "release_date": "2022-10-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "keycloak: Client Registration endpoint does not check token revocation" }, { "acknowledgments": [ { "names": [ "Jordi Zayuelas i Mu\u00f1oz" ], "organization": "A1 Digital", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0264", "cwe": { "id": "CWE-303", "name": "Incorrect Implementation of Authentication Algorithm" }, "discovery_date": "2023-01-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2160585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: user impersonation via stolen uuid code", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat Single Sign-On 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0264" }, { "category": "external", "summary": "RHBZ#2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0264" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264" } ], "release_date": "2023-02-28T18:58:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T21:58:17+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat Single Sign-On 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1049" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "Red Hat Single Sign-On 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: user impersonation via stolen uuid code" } ] }
rhsa-2023_2135
Vulnerability from csaf_redhat
Published
2023-05-04 15:59
Modified
2024-11-15 13:31
Summary
Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.3 security update
Notes
Topic
An update is now available for Red Hat Process Automation Manager.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This asynchronous security patch is an update to Red Hat Process Automation Manager 7.
Security Fixes:
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* commons-text: apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat Process Automation Manager.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis asynchronous security patch is an update to Red Hat Process Automation Manager 7.\n\nSecurity Fixes:\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n\n* undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* commons-text: apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:2135", "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135435", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435" }, { "category": "external", "summary": "2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2174246", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2135.json" } ], "title": "Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.3 security update", "tracking": { "current_release_date": "2024-11-15T13:31:38+00:00", "generator": { "date": "2024-11-15T13:31:38+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:2135", "initial_release_date": "2023-05-04T15:59:31+00:00", "revision_history": [ { "date": "2023-05-04T15:59:31+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-05-04T15:59:31+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T13:31:38+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "RHPAM 7.13.1 async", "product": { "name": "RHPAM 7.13.1 async", "product_id": "RHPAM 7.13.1 async", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13" } } } ], "category": "product_family", "name": "Red Hat Process Automation Manager" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-3782", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-10-31T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2138971" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: path traversal via double URL encoding", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason Quarkus is marked with Low impact.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3782" }, { "category": "external", "summary": "RHBZ#2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3782", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3782" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3782" } ], "release_date": "2022-12-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "keycloak: path traversal via double URL encoding" }, { "cve": "CVE-2022-4244", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-12-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2149841" } ], "notes": [ { "category": "description", "text": "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.", "title": "Vulnerability description" }, { "category": "summary", "text": "codehaus-plexus: Directory Traversal", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-4244" }, { "category": "external", "summary": "RHBZ#2149841", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149841" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4244", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4244" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4244", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4244" } ], "release_date": "2022-12-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "codehaus-plexus: Directory Traversal" }, { "cve": "CVE-2022-4245", "cwe": { "id": "CWE-91", "name": "XML Injection (aka Blind XPath Injection)" }, "discovery_date": "2022-12-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2149843" } ], "notes": [ { "category": "description", "text": "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --\u003e sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.", "title": "Vulnerability description" }, { "category": "summary", "text": "codehaus-plexus: XML External Entity (XXE) Injection", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-4245" }, { "category": "external", "summary": "RHBZ#2149843", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149843" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4245", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4245" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4245", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4245" } ], "release_date": "2022-12-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "codehaus-plexus: XML External Entity (XXE) Injection" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-42889", "cwe": { "id": "CWE-1188", "name": "Initialization of a Resource with an Insecure Default" }, "discovery_date": "2022-10-15T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135435" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-text: variable interpolation RCE", "title": "Vulnerability summary" }, { "category": "other", "text": "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42889" }, { "category": "external", "summary": "RHBZ#2135435", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135435" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42889", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42889" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889" }, { "category": "external", "summary": "https://blogs.apache.org/security/entry/cve-2022-42889", "url": "https://blogs.apache.org/security/entry/cve-2022-42889" }, { "category": "external", "summary": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", "url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om" }, { "category": "external", "summary": "https://seclists.org/oss-sec/2022/q4/22", "url": "https://seclists.org/oss-sec/2022/q4/22" } ], "release_date": "2022-10-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" }, { "category": "workaround", "details": "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", "product_ids": [ "RHPAM 7.13.1 async" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache-commons-text: variable interpolation RCE" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46363", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155681" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: directory listing / code exfiltration", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46363" }, { "category": "external", "summary": "RHBZ#2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363" }, { "category": "external", "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CXF: directory listing / code exfiltration" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" }, { "cve": "CVE-2023-1108", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)" }, "discovery_date": "2023-02-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2174246" } ], "notes": [ { "category": "description", "text": "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.", "title": "Vulnerability description" }, { "category": "summary", "text": "Undertow: Infinite loop in SslConduit during close", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "RHPAM 7.13.1 async" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-1108" }, { "category": "external", "summary": "RHBZ#2174246", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1108", "url": "https://www.cve.org/CVERecord?id=CVE-2023-1108" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1108", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1108" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-m4mm-pg93-fv78", "url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78" } ], "release_date": "2023-03-07T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-05-04T15:59:31+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "RHPAM 7.13.1 async" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:2135" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "RHPAM 7.13.1 async" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "Undertow: Infinite loop in SslConduit during close" } ] }
rhsa-2023_3610
Vulnerability from csaf_redhat
Published
2023-06-15 00:17
Modified
2024-11-15 13:34
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)\n\n* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:3610", "url": "https://access.redhat.com/errata/RHSA-2023:3610" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2066479", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479" }, { "category": "external", "summary": "2119646", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646" }, { "category": "external", "summary": "2119647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "2164278", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278" }, { "category": "external", "summary": "2178358", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358" }, { "category": "external", "summary": "2180528", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528" }, { "category": "external", "summary": "2180530", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530" }, { "category": "external", "summary": "2185707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185707" }, { "category": "external", "summary": "2188542", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542" }, { "category": "external", "summary": "2207830", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2207830" }, { "category": "external", "summary": "2207835", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2207835" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3610.json" } ], "title": "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", "tracking": { "current_release_date": "2024-11-15T13:34:57+00:00", "generator": { "date": "2024-11-15T13:34:57+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:3610", "initial_release_date": "2023-06-15T00:17:42+00:00", "revision_history": [ { "date": "2023-06-15T00:17:42+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-06-15T00:17:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T13:34:57+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "OpenShift Developer Tools and Services for OCP 4.12", "product": { "name": "OpenShift Developer Tools and Services for OCP 4.12", "product_id": "8Base-OCP-Tools-4.12", "product_identification_helper": { "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8" } } } ], "category": "product_family", "name": "OpenShift Jenkins" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:2.401.1.1686649641-3.el8.src", "product": { "name": "jenkins-0:2.401.1.1686649641-3.el8.src", "product_id": "jenkins-0:2.401.1.1686649641-3.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.401.1.1686649641-3.el8?arch=src" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", "product": { "name": "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", "product_id": "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1.el8?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "jenkins-0:2.401.1.1686649641-3.el8.noarch", "product": { "name": "jenkins-0:2.401.1.1686649641-3.el8.noarch", "product_id": "jenkins-0:2.401.1.1686649641-3.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins@2.401.1.1686649641-3.el8?arch=noarch" } } }, { "category": "product_version", "name": "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "product": { "name": "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "product_id": "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1.el8?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.401.1.1686649641-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", "product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch" }, "product_reference": "jenkins-0:2.401.1.1686649641-3.el8.noarch", "relates_to_product_reference": "8Base-OCP-Tools-4.12" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-0:2.401.1.1686649641-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", "product_id": "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" }, "product_reference": "jenkins-0:2.401.1.1686649641-3.el8.src", "relates_to_product_reference": "8Base-OCP-Tools-4.12" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", "product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch" }, "product_reference": "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "relates_to_product_reference": "8Base-OCP-Tools-4.12" }, { "category": "default_component_of", "full_product_name": { "name": "jenkins-2-plugins-0:4.12.1686649756-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", "product_id": "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" }, "product_reference": "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", "relates_to_product_reference": "8Base-OCP-Tools-4.12" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-46877", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-04-11T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2185707" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-46877" }, { "category": "external", "summary": "RHBZ#2185707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2185707" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-46877", "url": "https://www.cve.org/CVERecord?id=CVE-2021-46877" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46877" } ], "release_date": "2023-03-19T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode" }, { "cve": "CVE-2022-29599", "cwe": { "id": "CWE-77", "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)" }, "discovery_date": "2022-03-15T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2066479" } ], "notes": [ { "category": "description", "text": "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "maven-shared-utils: Command injection via Commandline class", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It\u0027s worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-29599" }, { "category": "external", "summary": "RHBZ#2066479", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-29599", "url": "https://www.cve.org/CVERecord?id=CVE-2022-29599" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29599" } ], "release_date": "2020-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "maven-shared-utils: Command injection via Commandline class" }, { "cve": "CVE-2022-30953", "cwe": { "id": "CWE-352", "name": "Cross-Site Request Forgery (CSRF)" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119646" } ], "notes": [ { "category": "description", "text": "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: CSRF vulnerability in Blue Ocean Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-30953" }, { "category": "external", "summary": "RHBZ#2119646", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119646" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30953", "url": "https://www.cve.org/CVERecord?id=CVE-2022-30953" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30953" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502" } ], "release_date": "2022-05-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: CSRF vulnerability in Blue Ocean Plugin" }, { "cve": "CVE-2022-30954", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "discovery_date": "2022-08-19T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2119647" } ], "notes": [ { "category": "description", "text": "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", "title": "Vulnerability description" }, { "category": "summary", "text": "plugin: missing permission checks in Blue Ocean Plugin", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-30954" }, { "category": "external", "summary": "RHBZ#2119647", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119647" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-30954", "url": "https://www.cve.org/CVERecord?id=CVE-2022-30954" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30954" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502" } ], "release_date": "2022-05-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "plugin: missing permission checks in Blue Ocean Plugin" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2023-1370", "cwe": { "id": "CWE-674", "name": "Uncontrolled Recursion" }, "discovery_date": "2023-04-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2188542" } ], "notes": [ { "category": "description", "text": "A flaw was found in the json-smart package. This security flaw occurs when reaching a \u2018[\u2018 or \u2018{\u2018 character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", "title": "Vulnerability description" }, { "category": "summary", "text": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-1370" }, { "category": "external", "summary": "RHBZ#2188542", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1370", "url": "https://www.cve.org/CVERecord?id=CVE-2023-1370" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-493p-pfq6-5258", "url": "https://github.com/advisories/GHSA-493p-pfq6-5258" }, { "category": "external", "summary": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", "url": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/" } ], "release_date": "2023-03-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)" }, { "cve": "CVE-2023-20860", "cwe": { "id": "CWE-155", "name": "Improper Neutralization of Wildcards or Matching Symbols" }, "discovery_date": "2023-03-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2180528" } ], "notes": [ { "category": "description", "text": "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", "title": "Vulnerability description" }, { "category": "summary", "text": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-20860" }, { "category": "external", "summary": "RHBZ#2180528", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180528" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-20860", "url": "https://www.cve.org/CVERecord?id=CVE-2023-20860" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20860" }, { "category": "external", "summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", "url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861" } ], "release_date": "2023-03-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern" }, { "cve": "CVE-2023-20861", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "discovery_date": "2023-03-21T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2180530" } ], "notes": [ { "category": "description", "text": "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", "title": "Vulnerability description" }, { "category": "summary", "text": "springframework: Spring Expression DoS Vulnerability", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-20861" }, { "category": "external", "summary": "RHBZ#2180530", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2180530" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-20861", "url": "https://www.cve.org/CVERecord?id=CVE-2023-20861" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861" }, { "category": "external", "summary": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", "url": "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861" } ], "release_date": "2023-03-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "springframework: Spring Expression DoS Vulnerability" }, { "cve": "CVE-2023-24422", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2023-01-25T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2164278" } ], "notes": [ { "category": "description", "text": "A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-24422" }, { "category": "external", "summary": "RHBZ#2164278", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164278" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-24422", "url": "https://www.cve.org/CVERecord?id=CVE-2023-24422" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24422" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016", "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016" } ], "release_date": "2023-01-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin" }, { "cve": "CVE-2023-32977", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2023-05-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2207830" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Jenkins Pipeline: Job Plugin. Affected versions of Jenkins Pipeline: Job Plugin are vulnerable to Cross-site scripting caused by improper validation of user-supplied input. This flaw allows a remote authenticated attacker to inject malicious script into a Web page, which would then be executed in a victim\u0027s Web browser within the security context of the hosting Web site once the page is viewed. The attacker could use this vulnerability to steal the victim\u0027s cookie-based authentication credentials.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won\u0027tfix.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-32977" }, { "category": "external", "summary": "RHBZ#2207830", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2207830" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-32977", "url": "https://www.cve.org/CVERecord?id=CVE-2023-32977" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32977" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042" } ], "release_date": "2023-05-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin" }, { "cve": "CVE-2023-32981", "discovery_date": "2023-05-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2207835" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing \"dot dot\" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content.", "title": "Vulnerability description" }, { "category": "summary", "text": "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", "title": "Vulnerability summary" }, { "category": "other", "text": "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won\u0027tfix.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "known_not_affected": [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-32981" }, { "category": "external", "summary": "RHBZ#2207835", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2207835" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-32981", "url": "https://www.cve.org/CVERecord?id=CVE-2023-32981" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32981" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196" } ], "release_date": "2023-05-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-06-15T00:17:42+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:3610" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin" } ] }
rhsa-2023_0552
Vulnerability from csaf_redhat
Published
2023-01-31 13:15
Modified
2024-11-15 13:21
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0552", "url": "https://access.redhat.com/errata/RHSA-2023:0552" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "1399546", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546" }, { "category": "external", "summary": "1553413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1668097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097" }, { "category": "external", "summary": "1686454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "2124682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682" }, { "category": "external", "summary": "2134291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "JBEAP-23864", "url": "https://issues.redhat.com/browse/JBEAP-23864" }, { "category": "external", "summary": "JBEAP-23865", "url": "https://issues.redhat.com/browse/JBEAP-23865" }, { "category": "external", "summary": "JBEAP-23866", "url": "https://issues.redhat.com/browse/JBEAP-23866" }, { "category": "external", "summary": "JBEAP-23926", "url": "https://issues.redhat.com/browse/JBEAP-23926" }, { "category": "external", "summary": "JBEAP-24055", "url": "https://issues.redhat.com/browse/JBEAP-24055" }, { "category": "external", "summary": "JBEAP-24081", "url": "https://issues.redhat.com/browse/JBEAP-24081" }, { "category": "external", "summary": "JBEAP-24095", "url": "https://issues.redhat.com/browse/JBEAP-24095" }, { "category": "external", "summary": "JBEAP-24100", "url": "https://issues.redhat.com/browse/JBEAP-24100" }, { "category": "external", "summary": "JBEAP-24127", "url": "https://issues.redhat.com/browse/JBEAP-24127" }, { "category": "external", "summary": "JBEAP-24128", "url": "https://issues.redhat.com/browse/JBEAP-24128" }, { "category": "external", "summary": "JBEAP-24132", "url": "https://issues.redhat.com/browse/JBEAP-24132" }, { "category": "external", "summary": "JBEAP-24147", "url": "https://issues.redhat.com/browse/JBEAP-24147" }, { "category": "external", "summary": "JBEAP-24167", "url": "https://issues.redhat.com/browse/JBEAP-24167" }, { "category": "external", "summary": "JBEAP-24191", "url": "https://issues.redhat.com/browse/JBEAP-24191" }, { "category": "external", "summary": "JBEAP-24195", "url": "https://issues.redhat.com/browse/JBEAP-24195" }, { "category": "external", "summary": "JBEAP-24207", "url": "https://issues.redhat.com/browse/JBEAP-24207" }, { "category": "external", "summary": "JBEAP-24248", "url": "https://issues.redhat.com/browse/JBEAP-24248" }, { "category": "external", "summary": "JBEAP-24426", "url": "https://issues.redhat.com/browse/JBEAP-24426" }, { "category": "external", "summary": "JBEAP-24427", "url": "https://issues.redhat.com/browse/JBEAP-24427" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0552.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update", "tracking": { "current_release_date": "2024-11-15T13:21:43+00:00", "generator": { "date": "2024-11-15T13:21:43+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:0552", "initial_release_date": "2023-01-31T13:15:22+00:00", "revision_history": [ { "date": "2023-01-31T13:15:22+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-01-31T13:15:22+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T13:21:43+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src", "product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "product": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "product": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "product": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "product": { "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "product": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "product": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "product": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "product": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "product": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "product": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "product": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el7eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "product": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el7eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "product": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_id": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el7eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src" }, "product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch" }, "product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" }, "product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src" }, "product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch" }, "product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "relates_to_product_reference": "7Server-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server", "product_id": "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" }, "product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src", "relates_to_product_reference": "7Server-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2015-9251", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2016-11-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1399546" } ], "notes": [ { "category": "description", "text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting via cross-domain ajax requests", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2015-9251" }, { "category": "external", "summary": "RHBZ#1399546", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251", "url": "https://www.cve.org/CVERecord?id=CVE-2015-9251" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251" } ], "release_date": "2015-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting via cross-domain ajax requests" }, { "cve": "CVE-2016-10735", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-01-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1668097" } ], "notes": [ { "category": "description", "text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: XSS in the data-target attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-10735" }, { "category": "external", "summary": "RHBZ#1668097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735", "url": "https://www.cve.org/CVERecord?id=CVE-2016-10735" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735" } ], "release_date": "2016-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: XSS in the data-target attribute" }, { "cve": "CVE-2017-18214", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2018-03-08T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1553413" } ], "notes": [ { "category": "description", "text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-moment: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-18214" }, { "category": "external", "summary": "RHBZ#1553413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214", "url": "https://www.cve.org/CVERecord?id=CVE-2017-18214" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214" } ], "release_date": "2017-09-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-moment: Regular expression denial of service" }, { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14041", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601616" } ], "notes": [ { "category": "description", "text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14041" }, { "category": "external", "summary": "RHBZ#1601616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14041" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-8331", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-02-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1686454" } ], "notes": [ { "category": "description", "text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: XSS in the tooltip or popover data-template attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-8331" }, { "category": "external", "summary": "RHBZ#1686454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331", "url": "https://www.cve.org/CVERecord?id=CVE-2019-8331" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331" } ], "release_date": "2019-02-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: XSS in the tooltip or popover data-template attribute" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2022-3143", "cwe": { "id": "CWE-208", "name": "Observable Timing Discrepancy" }, "discovery_date": "2022-09-06T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2124682" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-elytron: possible timing attacks via use of unsafe comparator", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3143" }, { "category": "external", "summary": "RHBZ#2124682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3143" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143" } ], "release_date": "2022-09-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "wildfly-elytron: possible timing attacks via use of unsafe comparator" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-40152", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2134291" } ], "notes": [ { "category": "description", "text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", "title": "Vulnerability description" }, { "category": "summary", "text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40152" }, { "category": "external", "summary": "RHBZ#2134291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40152" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", "url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4" } ], "release_date": "2022-09-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ], "known_not_affected": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:22+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0552" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el7eap.src", "7Server-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el7eap.src", "7Server-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.noarch", "7Server-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el7eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" } ] }
rhsa-2023_0556
Vulnerability from csaf_redhat
Published
2023-01-31 13:18
Modified
2024-11-15 13:21
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM\nmanipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of\nService attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator (CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0556", "url": "https://access.redhat.com/errata/RHSA-2023:0556" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "1399546", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546" }, { "category": "external", "summary": "1553413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1668097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097" }, { "category": "external", "summary": "1686454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "2124682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682" }, { "category": "external", "summary": "2134291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "JBEAP-23864", "url": "https://issues.redhat.com/browse/JBEAP-23864" }, { "category": "external", "summary": "JBEAP-23865", "url": "https://issues.redhat.com/browse/JBEAP-23865" }, { "category": "external", "summary": "JBEAP-23866", "url": "https://issues.redhat.com/browse/JBEAP-23866" }, { "category": "external", "summary": "JBEAP-24055", "url": "https://issues.redhat.com/browse/JBEAP-24055" }, { "category": "external", "summary": "JBEAP-24081", "url": "https://issues.redhat.com/browse/JBEAP-24081" }, { "category": "external", "summary": "JBEAP-24095", "url": "https://issues.redhat.com/browse/JBEAP-24095" }, { "category": "external", "summary": "JBEAP-24100", "url": "https://issues.redhat.com/browse/JBEAP-24100" }, { "category": "external", "summary": "JBEAP-24127", "url": "https://issues.redhat.com/browse/JBEAP-24127" }, { "category": "external", "summary": "JBEAP-24128", "url": "https://issues.redhat.com/browse/JBEAP-24128" }, { "category": "external", "summary": "JBEAP-24132", "url": "https://issues.redhat.com/browse/JBEAP-24132" }, { "category": "external", "summary": "JBEAP-24147", "url": "https://issues.redhat.com/browse/JBEAP-24147" }, { "category": "external", "summary": "JBEAP-24167", "url": "https://issues.redhat.com/browse/JBEAP-24167" }, { "category": "external", "summary": "JBEAP-24191", "url": "https://issues.redhat.com/browse/JBEAP-24191" }, { "category": "external", "summary": "JBEAP-24195", "url": "https://issues.redhat.com/browse/JBEAP-24195" }, { "category": "external", "summary": "JBEAP-24207", "url": "https://issues.redhat.com/browse/JBEAP-24207" }, { "category": "external", "summary": "JBEAP-24248", "url": "https://issues.redhat.com/browse/JBEAP-24248" }, { "category": "external", "summary": "JBEAP-24426", "url": "https://issues.redhat.com/browse/JBEAP-24426" }, { "category": "external", "summary": "JBEAP-24427", "url": "https://issues.redhat.com/browse/JBEAP-24427" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0556.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update", "tracking": { "current_release_date": "2024-11-15T13:21:25+00:00", "generator": { "date": "2024-11-15T13:21:25+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:0556", "initial_release_date": "2023-01-31T13:18:26+00:00", "revision_history": [ { "date": "2023-01-31T13:18:26+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-01-31T13:18:26+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T13:21:25+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 7", "product": { "name": "Red Hat JBoss Enterprise Application Platform 7", "product_id": "Red Hat JBoss Enterprise Application Platform 7", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2015-9251", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2016-11-27T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1399546" } ], "notes": [ { "category": "description", "text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting via cross-domain ajax requests", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2015-9251" }, { "category": "external", "summary": "RHBZ#1399546", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251", "url": "https://www.cve.org/CVERecord?id=CVE-2015-9251" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251" } ], "release_date": "2015-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting via cross-domain ajax requests" }, { "cve": "CVE-2016-10735", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-01-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1668097" } ], "notes": [ { "category": "description", "text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: XSS in the data-target attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-10735" }, { "category": "external", "summary": "RHBZ#1668097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735", "url": "https://www.cve.org/CVERecord?id=CVE-2016-10735" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735" } ], "release_date": "2016-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: XSS in the data-target attribute" }, { "cve": "CVE-2017-18214", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2018-03-08T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1553413" } ], "notes": [ { "category": "description", "text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-moment: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-18214" }, { "category": "external", "summary": "RHBZ#1553413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214", "url": "https://www.cve.org/CVERecord?id=CVE-2017-18214" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214" } ], "release_date": "2017-09-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-moment: Regular expression denial of service" }, { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14041", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601616" } ], "notes": [ { "category": "description", "text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14041" }, { "category": "external", "summary": "RHBZ#1601616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14041" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-8331", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-02-20T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1686454" } ], "notes": [ { "category": "description", "text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: XSS in the tooltip or popover data-template attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-8331" }, { "category": "external", "summary": "RHBZ#1686454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331", "url": "https://www.cve.org/CVERecord?id=CVE-2019-8331" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331" } ], "release_date": "2019-02-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: XSS in the tooltip or popover data-template attribute" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2022-3143", "cwe": { "id": "CWE-208", "name": "Observable Timing Discrepancy" }, "discovery_date": "2022-09-06T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2124682" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-elytron: possible timing attacks via use of unsafe comparator", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3143" }, { "category": "external", "summary": "RHBZ#2124682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3143" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143" } ], "release_date": "2022-09-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "wildfly-elytron: possible timing attacks via use of unsafe comparator" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-40152", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2134291" } ], "notes": [ { "category": "description", "text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", "title": "Vulnerability description" }, { "category": "summary", "text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40152" }, { "category": "external", "summary": "RHBZ#2134291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40152" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", "url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4" } ], "release_date": "2022-09-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46363", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155681" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: directory listing / code exfiltration", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46363" }, { "category": "external", "summary": "RHBZ#2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363" }, { "category": "external", "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CXF: directory listing / code exfiltration" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 7" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:18:26+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 7" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0556" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red Hat JBoss Enterprise Application Platform 7" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" } ] }
rhsa-2023_1043
Vulnerability from csaf_redhat
Published
2023-03-01 22:02
Modified
2024-11-21 21:15
Summary
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7
Notes
Topic
New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.2 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438)\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n* keycloak: missing email notification template allowlist (CVE-2022-1274)\n* keycloak: minimist: prototype pollution (CVE-2021-44906)\n* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)\n* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764)\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n* loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603)\n* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)\n* keycloak: path traversal via double URL encoding (CVE-2022-3782)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n* keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091)\n* keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065)\n* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)\n* keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264)\n* snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)\n* jquery: Passing HTML containing \u003coption\u003e elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n* keycloak: reflected XSS attack (CVE-2022-4137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:1043", "url": "https://access.redhat.com/errata/RHSA-2023:1043" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2138971", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2138971" }, { "category": "external", "summary": "2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2148496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496" }, { "category": "external", "summary": "2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1043.json" } ], "title": "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7", "tracking": { "current_release_date": "2024-11-21T21:15:30+00:00", "generator": { "date": "2024-11-21T21:15:30+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:1043", "initial_release_date": "2023-03-01T22:02:40+00:00", "revision_history": [ { "date": "2023-03-01T22:02:40+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-03-01T22:02:40+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-21T21:15:30+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server", "product": { "name": "Red Hat Single Sign-On 7.6 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7" } } } ], "category": "product_family", "name": "Red Hat Single Sign-On" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "product": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el7sso?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak@18.0.6-1.redhat_00001.1.el7sso?arch=noarch" } } }, { "category": "product_version", "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "product": { "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "product_id": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/rh-sso7-keycloak-server@18.0.6-1.redhat_00001.1.el7sso?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.6" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src" }, "product_reference": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "relates_to_product_reference": "7Server-RHSSO-7.6" }, { "category": "default_component_of", "full_product_name": { "name": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch as a component of Red Hat Single Sign-On 7.6 for RHEL 7 Server", "product_id": "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" }, "product_reference": "rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "relates_to_product_reference": "7Server-RHSSO-7.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2021-35065", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156324" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in the glob-parent package. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks, affecting system availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "glob-parent: Regular Expression Denial of Service", "title": "Vulnerability summary" }, { "category": "other", "text": "The glob-parent package is a transitive dependency and this is not used directly in any of the Red Hat products. Hence, the impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-35065" }, { "category": "external", "summary": "RHBZ#2156324", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156324" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-35065", "url": "https://www.cve.org/CVERecord?id=CVE-2021-35065" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35065" }, { "category": "external", "summary": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294", "url": "https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294" } ], "release_date": "2022-12-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "glob-parent: Regular Expression Denial of Service" }, { "cve": "CVE-2021-44906", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-03-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2066009" } ], "notes": [ { "category": "description", "text": "An Uncontrolled Resource Consumption flaw was found in minimist. This flaw allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "minimist: prototype pollution", "title": "Vulnerability summary" }, { "category": "other", "text": "The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. While this flaw (CVE-2021-44906) enables attackers to control objects that they should not have access to, actual exploitation would still require a chain of independent flaws. Even though the CVSS for CVE-2021-44906 is higher than CVE-2020-7598, they are both rated as having Moderate impact.\n\nWithin Red Hat Satellite 6 this flaw has been rated as having a security impact of Low. It is not currently planned to be addressed there, as the minimist library is only included in the -doc subpackage and is part of test fixtures that are not in the execution path used by the rabl gem.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-44906" }, { "category": "external", "summary": "RHBZ#2066009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-44906", "url": "https://www.cve.org/CVERecord?id=CVE-2021-44906" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-xvch-5gv4-984h", "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" } ], "release_date": "2022-03-10T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "minimist: prototype pollution" }, { "acknowledgments": [ { "names": [ "Marcus Nilsson" ], "organization": "usd AG" } ], "cve": "CVE-2022-1274", "cwe": { "id": "CWE-80", "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)" }, "discovery_date": "2022-04-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2073157" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: HTML injection in execute-actions-email Admin REST API", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1274" }, { "category": "external", "summary": "RHBZ#2073157", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073157" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1274", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1274" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1274" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725" } ], "release_date": "2023-02-28T18:57:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: HTML injection in execute-actions-email Admin REST API" }, { "acknowledgments": [ { "names": [ "Grzegorz Tworek" ], "organization": "SISOFT s.c." } ], "cve": "CVE-2022-1438", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2021-12-13T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2031904" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: XSS on impersonation under specific circumstances", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1438" }, { "category": "external", "summary": "RHBZ#2031904", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2031904" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1438", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1438" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1438" } ], "release_date": "2023-02-28T18:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: XSS on impersonation under specific circumstances" }, { "cve": "CVE-2022-1471", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-12-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2150009" } ], "notes": [ { "category": "description", "text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", "title": "Vulnerability description" }, { "category": "summary", "text": "SnakeYaml: Constructor Deserialization Remote Code Execution", "title": "Vulnerability summary" }, { "category": "other", "text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-1471" }, { "category": "external", "summary": "RHBZ#2150009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471", "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471" }, { "category": "external", "summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2" } ], "release_date": "2022-10-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "SnakeYaml: Constructor Deserialization Remote Code Execution" }, { "cve": "CVE-2022-2764", "discovery_date": "2022-08-11T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2117506" } ], "notes": [ { "category": "description", "text": "A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from the bytes, causing a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-2764" }, { "category": "external", "summary": "RHBZ#2117506", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2117506" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-2764", "url": "https://www.cve.org/CVERecord?id=CVE-2022-2764" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2764" } ], "release_date": "2022-08-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations" }, { "acknowledgments": [ { "names": [ "Peter Flintholm" ], "organization": "Trifork" } ], "cve": "CVE-2022-3916", "cwe": { "id": "CWE-384", "name": "Session Fixation" }, "discovery_date": "2022-11-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2141404" } ], "notes": [ { "category": "description", "text": "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Session takeover with OIDC offline refreshtokens", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3916" }, { "category": "external", "summary": "RHBZ#2141404", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2141404" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3916", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3916" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3916" } ], "release_date": "2022-11-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: Session takeover with OIDC offline refreshtokens" }, { "cve": "CVE-2022-4137", "cwe": { "id": "CWE-81", "name": "Improper Neutralization of Script in an Error Message Web Page" }, "discovery_date": "2022-11-25T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2148496" } ], "notes": [ { "category": "description", "text": "A reflected cross-site scripting (XSS) vulnerability was found in the \u0027oob\u0027 OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: reflected XSS attack", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-4137" }, { "category": "external", "summary": "RHBZ#2148496", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2148496" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4137", "url": "https://www.cve.org/CVERecord?id=CVE-2022-4137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4137" } ], "release_date": "2023-03-01T13:56:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "keycloak: reflected XSS attack" }, { "cve": "CVE-2022-24785", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2022-04-05T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2072009" } ], "notes": [ { "category": "description", "text": "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "Moment.js: Path traversal in moment.locale", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-24785" }, { "category": "external", "summary": "RHBZ#2072009", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2072009" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-24785", "url": "https://www.cve.org/CVERecord?id=CVE-2022-24785" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4" } ], "release_date": "2022-04-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" }, { "category": "workaround", "details": "Sanitize the user-provided locale name before passing it to Moment.js.", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "Moment.js: Path traversal in moment.locale" }, { "cve": "CVE-2022-25857", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-09-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2126789" } ], "notes": [ { "category": "description", "text": "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Denial of Service due to missing nested depth limitation for collections", "title": "Vulnerability summary" }, { "category": "other", "text": "For RHEL-8 it\u0027s downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn\u0027t shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it\u0027s not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-25857" }, { "category": "external", "summary": "RHBZ#2126789", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2126789" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-25857", "url": "https://www.cve.org/CVERecord?id=CVE-2022-25857" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25857" }, { "category": "external", "summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/525" } ], "release_date": "2022-08-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "snakeyaml: Denial of Service due to missing nested depth limitation for collections" }, { "cve": "CVE-2022-31129", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-07-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2105075" } ], "notes": [ { "category": "description", "text": "A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.", "title": "Vulnerability description" }, { "category": "summary", "text": "moment: inefficient parsing algorithm resulting in DoS", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Fuse provides the affected software but does not use the functionality and as such its impact has been downgraded to Low.\n\nRed Hat Advanced Cluster Management for Kubernetes (RHACM) ships a vulnerable version of the moment library. However, this affected functionality is restricted behind OAuth, reducing the impact to Moderate.\n\nRed Hat Satellite ships a vulnerable version of the moment library. However, this only affects a specific component (qpid-dispatch), reducing the impact to Moderate.\n\nRed Hat Ceph Storage (RHCS) ships a vulnerable version of the moment library, however, it is not directly used and is a transitive dependency from Angular. In addition, the impact would only be to the grafana browser, and not the underlying RHCS system, which reduces the impact to Moderate. \n\nRed Hat OpenShift Service Mesh (OSSM) ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nRed Hat OpenShift distributed tracing ships a vulnerable version of the moment library, however, it is not directly used, and as such, the impact has been lowered to Moderate.\n\nIn Logging Subsystem for Red Hat OpenShift the vulnerable moment nodejs package is bundled in the ose-logging-kibana6 container as a transitive dependency, hence the direct impact is reduced to Moderate.\n\nIn OpenShift Container Platform 4 the vulnerabile moment package is a third party dependency, hence the direct impact is reduced to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-31129" }, { "category": "external", "summary": "RHBZ#2105075", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2105075" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31129", "url": "https://www.cve.org/CVERecord?id=CVE-2022-31129" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31129" }, { "category": "external", "summary": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g", "url": "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g" } ], "release_date": "2022-07-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "moment: inefficient parsing algorithm resulting in DoS" }, { "cve": "CVE-2022-37603", "cwe": { "id": "CWE-185", "name": "Incorrect Regular Expression" }, "discovery_date": "2022-11-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2140597" } ], "notes": [ { "category": "description", "text": "A flaw was found in loader-utils webpack library. When the url variable from interpolateName is set, the prototype can be polluted. This issue could lead to a regular expression Denial of Service (ReDoS), affecting the availability of the affected component.", "title": "Vulnerability description" }, { "category": "summary", "text": "loader-utils: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-37603" }, { "category": "external", "summary": "RHBZ#2140597", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2140597" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-37603", "url": "https://www.cve.org/CVERecord?id=CVE-2022-37603" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37603" } ], "release_date": "2022-10-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "loader-utils: Regular expression denial of service" }, { "cve": "CVE-2022-38749", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129706" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38749" }, { "category": "external", "summary": "RHBZ#2129706", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129706" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38749", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38749" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38749" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode" }, { "cve": "CVE-2022-38750", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129707" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38750" }, { "category": "external", "summary": "RHBZ#2129707", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129707" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38750", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38750" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38750" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject" }, { "cve": "CVE-2022-38751", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2129709" } ], "notes": [ { "category": "description", "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-38751" }, { "category": "external", "summary": "RHBZ#2129709", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129709" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38751", "url": "https://www.cve.org/CVERecord?id=CVE-2022-38751" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38751" } ], "release_date": "2022-09-05T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46175", "cwe": { "id": "CWE-1321", "name": "Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)" }, "discovery_date": "2022-12-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156263" } ], "notes": [ { "category": "description", "text": "A flaw was found in the json5 package. The affected version of the json5 package could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse.", "title": "Vulnerability description" }, { "category": "summary", "text": "json5: Prototype Pollution in JSON5 via Parse Method", "title": "Vulnerability summary" }, { "category": "other", "text": "The json5 package is a build-time dependency in Red Hat products and is not used in production runtime. Hence, the impact is set to Moderate.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46175" }, { "category": "external", "summary": "RHBZ#2156263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156263" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46175", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46175" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46175" }, { "category": "external", "summary": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h", "url": "https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h" } ], "release_date": "2022-12-24T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "json5: Prototype Pollution in JSON5 via Parse Method" }, { "cve": "CVE-2022-46363", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155681" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: directory listing / code exfiltration", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46363" }, { "category": "external", "summary": "RHBZ#2155681", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363" }, { "category": "external", "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CXF: directory listing / code exfiltration" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "CXF: SSRF Vulnerability" }, { "acknowledgments": [ { "names": [ "Sourav Kumar" ], "organization": "https://github.com/souravs17031999", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0091", "cwe": { "id": "CWE-20", "name": "Improper Input Validation" }, "discovery_date": "2022-10-28T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2158585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: Client Registration endpoint does not check token revocation", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0091" }, { "category": "external", "summary": "RHBZ#2158585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0091", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0091" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0091" }, { "category": "external", "summary": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg", "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-v436-q368-hvgg" }, { "category": "external", "summary": "https://github.com/keycloak/security/issues/27", "url": "https://github.com/keycloak/security/issues/27" } ], "release_date": "2022-10-28T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "keycloak: Client Registration endpoint does not check token revocation" }, { "acknowledgments": [ { "names": [ "Jordi Zayuelas i Mu\u00f1oz" ], "organization": "A1 Digital", "summary": "Acknowledged by upstream." } ], "cve": "CVE-2023-0264", "cwe": { "id": "CWE-303", "name": "Incorrect Implementation of Authentication Algorithm" }, "discovery_date": "2023-01-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2160585" } ], "notes": [ { "category": "description", "text": "A flaw was found in Keycloak\u0027s OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, Integrity, and availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "keycloak: user impersonation via stolen uuid code", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-0264" }, { "category": "external", "summary": "RHBZ#2160585", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160585" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0264", "url": "https://www.cve.org/CVERecord?id=CVE-2023-0264" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0264" } ], "release_date": "2023-02-28T18:58:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-03-01T22:02:40+00:00", "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:1043" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" }, "products": [ "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.noarch", "7Server-RHSSO-7.6:rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso.src", "7Server-RHSSO-7.6:rh-sso7-keycloak-server-0:18.0.6-1.redhat_00001.1.el7sso.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "keycloak: user impersonation via stolen uuid code" } ] }
rhsa-2023_0554
Vulnerability from csaf_redhat
Published
2023-01-31 13:15
Modified
2024-11-15 13:21
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
Notes
Topic
An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
(CVE-2018-14040)
* jquery: Untrusted code execution via <option> tag in HTML passed to DOM
manipulation methods (CVE-2020-11023)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
(CVE-2020-11022)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy
(CVE-2018-14041)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of
Service attacks (CVE-2022-40152)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of
tooltip (CVE-2018-14042)
* bootstrap: XSS in the tooltip or popover data-template attribute
(CVE-2019-8331)
* nodejs-moment: Regular expression denial of service (CVE-2017-18214)
* wildfly-elytron: possible timing attacks via use of unsafe comparator
(CVE-2022-3143)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
(CVE-2022-42003)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9.\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute\n(CVE-2018-14040)\n\n* jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM\nmanipulation methods (CVE-2020-11023)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n(CVE-2020-11022)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy\n(CVE-2018-14041)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability\n(CVE-2022-45047)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of\nService attacks (CVE-2022-40152)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute\n(CVE-2019-8331)\n\n* nodejs-moment: Regular expression denial of service (CVE-2017-18214)\n\n* wildfly-elytron: possible timing attacks via use of unsafe comparator\n(CVE-2022-3143)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n(CVE-2022-42003)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data\n(CVE-2022-40150)\n\n* jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0554", "url": "https://access.redhat.com/errata/RHSA-2023:0554" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/" }, { "category": "external", "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/", "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/" }, { "category": "external", "summary": "1399546", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546" }, { "category": "external", "summary": "1553413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413" }, { "category": "external", "summary": "1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "1601616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616" }, { "category": "external", "summary": "1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "1668097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097" }, { "category": "external", "summary": "1686454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, { "category": "external", "summary": "1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "2124682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682" }, { "category": "external", "summary": "2134291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "category": "external", "summary": "2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "JBEAP-23864", "url": "https://issues.redhat.com/browse/JBEAP-23864" }, { "category": "external", "summary": "JBEAP-23865", "url": "https://issues.redhat.com/browse/JBEAP-23865" }, { "category": "external", "summary": "JBEAP-23866", "url": "https://issues.redhat.com/browse/JBEAP-23866" }, { "category": "external", "summary": "JBEAP-23928", "url": "https://issues.redhat.com/browse/JBEAP-23928" }, { "category": "external", "summary": "JBEAP-24055", "url": "https://issues.redhat.com/browse/JBEAP-24055" }, { "category": "external", "summary": "JBEAP-24081", "url": "https://issues.redhat.com/browse/JBEAP-24081" }, { "category": "external", "summary": "JBEAP-24095", "url": "https://issues.redhat.com/browse/JBEAP-24095" }, { "category": "external", "summary": "JBEAP-24100", "url": "https://issues.redhat.com/browse/JBEAP-24100" }, { "category": "external", "summary": "JBEAP-24127", "url": "https://issues.redhat.com/browse/JBEAP-24127" }, { "category": "external", "summary": "JBEAP-24128", "url": "https://issues.redhat.com/browse/JBEAP-24128" }, { "category": "external", "summary": "JBEAP-24132", "url": "https://issues.redhat.com/browse/JBEAP-24132" }, { "category": "external", "summary": "JBEAP-24147", "url": "https://issues.redhat.com/browse/JBEAP-24147" }, { "category": "external", "summary": "JBEAP-24167", "url": "https://issues.redhat.com/browse/JBEAP-24167" }, { "category": "external", "summary": "JBEAP-24191", "url": "https://issues.redhat.com/browse/JBEAP-24191" }, { "category": "external", "summary": "JBEAP-24195", "url": "https://issues.redhat.com/browse/JBEAP-24195" }, { "category": "external", "summary": "JBEAP-24207", "url": "https://issues.redhat.com/browse/JBEAP-24207" }, { "category": "external", "summary": "JBEAP-24248", "url": "https://issues.redhat.com/browse/JBEAP-24248" }, { "category": "external", "summary": "JBEAP-24426", "url": "https://issues.redhat.com/browse/JBEAP-24426" }, { "category": "external", "summary": "JBEAP-24427", "url": "https://issues.redhat.com/browse/JBEAP-24427" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0554.json" } ], "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update", "tracking": { "current_release_date": "2024-11-15T13:21:34+00:00", "generator": { "date": "2024-11-15T13:21:34+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2023:0554", "initial_release_date": "2023-01-31T13:15:23+00:00", "revision_history": [ { "date": "2023-01-31T13:15:23+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-01-31T13:15:23+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-15T13:21:34+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss EAP 7.4 for RHEL 9", "product": { "name": "Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "product": { "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "product_id": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-elytron-web@1.9.3-1.Final_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "product": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src", "product": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src", "product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "product": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "product": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "product": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "product": { "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_id": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-providers@2.12.7-1.redhat_00003.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "product": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "product": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "product": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "product": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "product": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "product": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "product": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "product": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "product": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "product": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "product": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "product": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "product": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el9eap?arch=src" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "product": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el9eap?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow-server@1.9.3-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-databind@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "product_id": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-woodstox-core@6.4.0-1.redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jdk8@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-datatype-jsr310@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-java8@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "product_id": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria@1.0.1-3.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "product_id": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-javaee-security-soteria-enterprise@1.0.1-3.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-base@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-jaxrs-json-provider@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-core@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-module-jaxb-annotations@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_id": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jackson-modules-base@2.12.7-1.redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "product": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "product_id": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jettison@1.5.2-1.redhat_00002.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "product_id": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-undertow@2.2.22-1.SP3_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-remoting@5.0.27-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hal-console@3.3.16-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-api@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-impl@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-common-spi@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-core-api@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-core-impl@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-deployers-common@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-jdbc@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-ironjacamar-validator@1.5.10-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsp-api_2.3_spec@2.0.0-3.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "product_id": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-apache-sshd@2.9.2-1.redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-ejb-client@4.0.49-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "product_id": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-6.SP07_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jgroups@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-backend-jms@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-engine@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-orm@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-hibernate-search-serialization-avro@5.10.13-3.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron@1.15.16-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "product": { "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "product_id": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-elytron-tool@1.15.16-1.Final_redhat_00001.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product_id": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product_id": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-cli@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product": { "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product_id": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-jboss-server-migration-core@1.10.0-24.Final_redhat_00023.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product_id": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product_id": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch" } } }, { "category": "product_version", "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product": { "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product_id": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.9-4.GA_redhat_00003.1.el9eap?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src" }, "product_reference": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src" }, "product_reference": "eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src" }, "product_reference": "eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src" }, "product_reference": "eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src" }, "product_reference": "eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src" }, "product_reference": "eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src" }, "product_reference": "eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src" }, "product_reference": "eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src" }, "product_reference": "eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch" }, "product_reference": "eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch" }, "product_reference": "eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch" }, "product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" }, "product_reference": "eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src" }, "product_reference": "eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src" }, "product_reference": "eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch" }, "product_reference": "eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch" }, "product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "relates_to_product_reference": "9Base-JBEAP-7.4" }, { "category": "default_component_of", "full_product_name": { "name": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9", "product_id": "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" }, "product_reference": "eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src", "relates_to_product_reference": "9Base-JBEAP-7.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2015-9251", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2016-11-27T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1399546" } ], "notes": [ { "category": "description", "text": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting via cross-domain ajax requests", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2015-9251" }, { "category": "external", "summary": "RHBZ#1399546", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1399546" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2015-9251", "url": "https://www.cve.org/CVERecord?id=CVE-2015-9251" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251" } ], "release_date": "2015-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting via cross-domain ajax requests" }, { "cve": "CVE-2016-10735", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-01-09T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1668097" } ], "notes": [ { "category": "description", "text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: XSS in the data-target attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2016-10735" }, { "category": "external", "summary": "RHBZ#1668097", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735", "url": "https://www.cve.org/CVERecord?id=CVE-2016-10735" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735", "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735" } ], "release_date": "2016-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: XSS in the data-target attribute" }, { "cve": "CVE-2017-18214", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2018-03-08T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1553413" } ], "notes": [ { "category": "description", "text": "The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055.", "title": "Vulnerability description" }, { "category": "summary", "text": "nodejs-moment: Regular expression denial of service", "title": "Vulnerability summary" }, { "category": "other", "text": "This issue affects the versions of momentjs as shipped with Red Hat Enterprise Satellite 5. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-18214" }, { "category": "external", "summary": "RHBZ#1553413", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1553413" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-18214", "url": "https://www.cve.org/CVERecord?id=CVE-2017-18214" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214" } ], "release_date": "2017-09-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "nodejs-moment: Regular expression denial of service" }, { "cve": "CVE-2018-14040", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601614" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14040" }, { "category": "external", "summary": "RHBZ#1601614", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601614" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14040", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14040" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14040" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute" }, { "cve": "CVE-2018-14041", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601616" } ], "notes": [ { "category": "description", "text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the data-target property of scrollspy. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14041" }, { "category": "external", "summary": "RHBZ#1601616", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601616" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14041", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14041" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14041" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy" }, { "cve": "CVE-2018-14042", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2018-07-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1601617" } ], "notes": [ { "category": "description", "text": "In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite 6.2 and newer versions don\u0027t use the bootstrap library, hence are not affected by this flaw.\n\nRed Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.\n\nRed Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2018-14042" }, { "category": "external", "summary": "RHBZ#1601617", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601617" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2018-14042", "url": "https://www.cve.org/CVERecord?id=CVE-2018-14042" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042", "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14042" } ], "release_date": "2018-05-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip" }, { "cve": "CVE-2019-8331", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-02-20T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1686454" } ], "notes": [ { "category": "description", "text": "A cross-site scripting vulnerability was discovered in bootstrap. If an attacker could control the data given to tooltip or popover, they could inject HTML or Javascript into the rendered page when tooltip or popover events fired.", "title": "Vulnerability description" }, { "category": "summary", "text": "bootstrap: XSS in the tooltip or popover data-template attribute", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions don\u0027t use the vulnerable component at all.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-8331" }, { "category": "external", "summary": "RHBZ#1686454", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686454" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-8331", "url": "https://www.cve.org/CVERecord?id=CVE-2019-8331" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8331" } ], "release_date": "2019-02-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "bootstrap: XSS in the tooltip or popover data-template attribute" }, { "cve": "CVE-2019-11358", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2019-03-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1701972" } ], "notes": [ { "category": "description", "text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2019-11358" }, { "category": "external", "summary": "RHBZ#1701972", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358", "url": "https://www.cve.org/CVERecord?id=CVE-2019-11358" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" }, { "category": "external", "summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/", "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/" }, { "category": "external", "summary": "https://www.drupal.org/sa-core-2019-006", "url": "https://www.drupal.org/sa-core-2019-006" } ], "release_date": "2019-03-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection" }, { "cve": "CVE-2020-11022", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-04-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1828406" } ], "notes": [ { "category": "description", "text": "A Cross-site scripting (XSS) vulnerability exists in JQuery. This flaw allows an attacker with the ability to supply input to the \u2018HTML\u2019 function to inject Javascript into the page where that input is rendered, and have it delivered by the browser.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method", "title": "Vulnerability summary" }, { "category": "other", "text": "No supported release of Red Hat OpenStack Platform is affected by this vulnerability as no shipped packages contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11022" }, { "category": "external", "summary": "RHBZ#1828406", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828406" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11022", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11022" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" } ], "release_date": "2020-04-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method" }, { "cve": "CVE-2020-11023", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)" }, "discovery_date": "2020-06-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1850004" } ], "notes": [ { "category": "description", "text": "A flaw was found in jQuery. HTML containing \\\u003coption\\\u003e elements from untrusted sources are passed, even after sanitizing, to one of jQuery\u0027s DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Enterprise Linux versions 6, 7, and 8 ship a vulnerable version of JQuery in the `pcs` component. However, the vulnerability has not been found to be exploitable in reasonable scenarios. \n\nIn RHEL7, pcs-0.9.169-3.el7_9.3 [RHSA-2022:7343] contains an updated version of jquery (3.6.0), which does not contain the vulnerable code.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2020-11023" }, { "category": "external", "summary": "RHBZ#1850004", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1850004" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2020-11023", "url": "https://www.cve.org/CVERecord?id=CVE-2020-11023" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" }, { "category": "external", "summary": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/" } ], "release_date": "2020-04-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jquery: Untrusted code execution via \u003coption\u003e tag in HTML passed to DOM manipulation methods" }, { "cve": "CVE-2022-3143", "cwe": { "id": "CWE-208", "name": "Observable Timing Discrepancy" }, "discovery_date": "2022-09-06T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2124682" } ], "notes": [ { "category": "description", "text": "A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user.", "title": "Vulnerability description" }, { "category": "summary", "text": "wildfly-elytron: possible timing attacks via use of unsafe comparator", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3143" }, { "category": "external", "summary": "RHBZ#2124682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2124682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3143", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3143" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3143" } ], "release_date": "2022-09-06T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "wildfly-elytron: possible timing attacks via use of unsafe comparator" }, { "cve": "CVE-2022-40149", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135771" } ], "notes": [ { "category": "description", "text": "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: parser crash by stackoverflow", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40149" }, { "category": "external", "summary": "RHBZ#2135771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135771" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40149", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: parser crash by stackoverflow" }, { "cve": "CVE-2022-40150", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2022-10-18T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135770" } ], "notes": [ { "category": "description", "text": "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: memory exhaustion via user-supplied XML or JSON data", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40150" }, { "category": "external", "summary": "RHBZ#2135770", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135770" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40150", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" }, { "category": "external", "summary": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" } ], "release_date": "2022-09-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jettison: memory exhaustion via user-supplied XML or JSON data" }, { "cve": "CVE-2022-40152", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-10-13T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2134291" } ], "notes": [ { "category": "description", "text": "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", "title": "Vulnerability description" }, { "category": "summary", "text": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-40152" }, { "category": "external", "summary": "RHBZ#2134291", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2134291" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-40152", "url": "https://www.cve.org/CVERecord?id=CVE-2022-40152" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", "url": "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4" } ], "release_date": "2022-09-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks" }, { "cve": "CVE-2022-42003", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135244" } ], "notes": [ { "category": "description", "text": "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42003" }, { "category": "external", "summary": "RHBZ#2135244", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135244" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42003", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42003" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS" }, { "cve": "CVE-2022-42004", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-10-17T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2135247" } ], "notes": [ { "category": "description", "text": "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", "title": "Vulnerability description" }, { "category": "summary", "text": "jackson-databind: use of deeply nested arrays", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-42004" }, { "category": "external", "summary": "RHBZ#2135247", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2135247" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-42004", "url": "https://www.cve.org/CVERecord?id=CVE-2022-42004" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" } ], "release_date": "2022-10-02T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jackson-databind: use of deeply nested arrays" }, { "cve": "CVE-2022-45047", "cwe": { "id": "CWE-502", "name": "Deserialization of Untrusted Data" }, "discovery_date": "2022-11-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2145194" } ], "notes": [ { "category": "description", "text": "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", "title": "Vulnerability description" }, { "category": "summary", "text": "mina-sshd: Java unsafe deserialization vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Impact as High as there\u0027s a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it\u0027s very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45047" }, { "category": "external", "summary": "RHBZ#2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45047", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45047" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45047" }, { "category": "external", "summary": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", "url": "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html" } ], "release_date": "2022-11-16T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" }, { "category": "workaround", "details": "From the maintainer:\n\nFor Apache MINA SSHD \u003c= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server\u0027s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "mina-sshd: Java unsafe deserialization vulnerability" }, { "cve": "CVE-2022-45693", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "discovery_date": "2022-12-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155970" } ], "notes": [ { "category": "description", "text": "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ], "known_not_affected": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-45693" }, { "category": "external", "summary": "RHBZ#2155970", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155970" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45693", "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jettison: If the value in map is the map\u0027s self, the new new JSONObject(map) cause StackOverflowError which may lead to dos" }, { "cve": "CVE-2022-46364", "cwe": { "id": "CWE-918", "name": "Server-Side Request Forgery (SSRF)" }, "discovery_date": "2022-12-21T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2155682" } ], "notes": [ { "category": "description", "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", "title": "Vulnerability description" }, { "category": "summary", "text": "CXF: SSRF Vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-46364" }, { "category": "external", "summary": "RHBZ#2155682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364", "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364" }, { "category": "external", "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2", "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2" } ], "release_date": "2022-12-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-01-31T13:15:23+00:00", "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0554" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-elytron-web-0:1.9.3-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-0:5.10.13-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jgroups-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-backend-jms-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-engine-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-orm-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-hibernate-search-serialization-avro-0:5.10.13-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-0:1.5.10-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-ironjacamar-common-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-common-spi-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-api-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-core-impl-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-deployers-common-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-jdbc-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-ironjacamar-validator-0:1.5.10-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-annotations-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-core-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-databind-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-datatype-jdk8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-datatype-jsr310-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-json-provider-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-jaxrs-providers-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-module-jaxb-annotations-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-base-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jackson-modules-java8-0:2.12.7-1.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-0:1.0.1-3.redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-javaee-security-soteria-enterprise-0:1.0.1-3.redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-ejb-client-0:4.0.49-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsf-api_2.3_spec-0:3.0.0-6.SP07_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-jsp-api_2.3_spec-0:2.0.0-3.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-remoting-0:5.0.27-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-0:1.10.0-24.Final_redhat_00023.1.el9eap.src", "9Base-JBEAP-7.4:eap7-jboss-server-migration-cli-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jboss-server-migration-core-0:1.10.0-24.Final_redhat_00023.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-jettison-0:1.5.2-1.redhat_00002.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-undertow-0:2.2.22-1.SP3_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-undertow-server-0:1.9.3-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.9-4.GA_redhat_00003.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-elytron-0:1.15.16-1.Final_redhat_00001.1.el9eap.src", "9Base-JBEAP-7.4:eap7-wildfly-elytron-tool-0:1.15.16-1.Final_redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.9-4.GA_redhat_00003.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.noarch", "9Base-JBEAP-7.4:eap7-woodstox-core-0:6.4.0-1.redhat_00001.1.el9eap.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CXF: SSRF Vulnerability" } ] }
wid-sec-w-2023-0239
Vulnerability from csaf_certbund
Published
2023-01-31 23:00
Modified
2024-02-28 23:00
Summary
Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um beliebigen Programmcode auszuführen, ein Cross-Site-Scritping-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme
- Linux
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "JBoss Enterprise Application Platform ist eine skalierbare Plattform f\u00fcr Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen.", "title": "Angriff" }, { "category": "general", "text": "- Linux", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-0239 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0239.json" }, { "category": "self", "summary": "WID-SEC-2023-0239 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0239" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0552 vom 2023-01-31", "url": "https://access.redhat.com/errata/RHSA-2023:0552" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0553 vom 2023-01-31", "url": "https://access.redhat.com/errata/RHSA-2023:0553" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0554 vom 2023-01-31", "url": "https://access.redhat.com/errata/RHSA-2023:0554" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0556 vom 2023-01-31", "url": "https://access.redhat.com/errata/RHSA-2023:0556" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0560 vom 2023-02-08", "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:0713 vom 2023-02-09", "url": "https://access.redhat.com/errata/RHSA-2023:0713" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:1044 vom 2023-03-02", "url": "https://access.redhat.com/errata/RHSA-2023:1044" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:1043 vom 2023-03-02", "url": "https://access.redhat.com/errata/RHSA-2023:1043" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:1049 vom 2023-03-02", "url": "https://access.redhat.com/errata/RHSA-2023:1049" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:1047 vom 2023-03-02", "url": "https://access.redhat.com/errata/RHSA-2023:1047" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:1045 vom 2023-03-02", "url": "https://access.redhat.com/errata/RHSA-2023:1045" }, { "category": "external", "summary": "F5 Security Advisory K48382137 vom 2023-04-21", "url": "https://my.f5.com/manage/s/article/K48382137" }, { "category": "external", "summary": "F5 Security Advisory K05380109 vom 2023-04-20", "url": "https://my.f5.com/manage/s/article/K05380109" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:3223 vom 2023-05-18", "url": "https://access.redhat.com/errata/RHSA-2023:3223" }, { "category": "external", "summary": "Hitachi Software Vulnerability Information hitachi-sec-2023-116 vom 2023-05-23", "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-116/index.html" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2023:4983 vom 2023-09-05", "url": "https://access.redhat.com/errata/RHSA-2023:4983" }, { "category": "external", "summary": "Hitachi Vulnerability Information HITACHI-SEC-2023-143 vom 2023-10-03", "url": "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-143/index.html" }, { "category": "external", "summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23", "url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=" }, { "category": "external", "summary": "Red Hat Security Advisory RHSA-2024:1027 vom 2024-02-28", "url": "https://access.redhat.com/errata/RHSA-2024:1027" } ], "source_lang": "en-US", "title": "Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen", "tracking": { "current_release_date": "2024-02-28T23:00:00.000+00:00", "generator": { "date": "2024-02-29T09:06:41.350+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-0239", "initial_release_date": "2023-01-31T23:00:00.000+00:00", "revision_history": [ { "date": "2023-01-31T23:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-02-08T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-02-09T23:00:00.000+00:00", "number": "3", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-03-01T23:00:00.000+00:00", "number": "4", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-04-20T22:00:00.000+00:00", "number": "5", "summary": "Neue Updates von F5 aufgenommen" }, { "date": "2023-05-18T22:00:00.000+00:00", "number": "6", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-05-22T22:00:00.000+00:00", "number": "7", "summary": "Neue Updates von HITACHI aufgenommen" }, { "date": "2023-09-05T22:00:00.000+00:00", "number": "8", "summary": "Neue Updates von Red Hat aufgenommen" }, { "date": "2023-10-03T22:00:00.000+00:00", "number": "9", "summary": "Neue Updates von HITACHI aufgenommen" }, { "date": "2023-12-26T23:00:00.000+00:00", "number": "10", "summary": "Neue Updates von Dell aufgenommen" }, { "date": "2024-02-28T23:00:00.000+00:00", "number": "11", "summary": "Neue Updates von Red Hat aufgenommen" } ], "status": "final", "version": "11" } }, "product_tree": { "branches": [ { "branches": [ { "category": "product_name", "name": "F5 BIG-IP", "product": { "name": "F5 BIG-IP", "product_id": "T001663", "product_identification_helper": { "cpe": "cpe:/a:f5:big-ip:-" } } } ], "category": "vendor", "name": "F5" }, { "branches": [ { "branches": [ { "category": "product_name", "name": "Hitachi Ops Center", "product": { "name": "Hitachi Ops Center", "product_id": "T017562", "product_identification_helper": { "cpe": "cpe:/a:hitachi:ops_center:-" } } }, { "category": "product_version_range", "name": "\u003c Common Services 10.9.3-00", "product": { "name": "Hitachi Ops Center \u003c Common Services 10.9.3-00", "product_id": "T030195", "product_identification_helper": { "cpe": "cpe:/a:hitachi:ops_center:common_services_10.9.3-00" } } } ], "category": "product_name", "name": "Ops Center" } ], "category": "vendor", "name": "Hitachi" }, { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux", "product": { "name": "Red Hat Enterprise Linux", "product_id": "67646", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } }, { "branches": [ { "category": "product_version_range", "name": "Streams \u003c 2.4.0", "product": { "name": "Red Hat JBoss A-MQ Streams \u003c 2.4.0", "product_id": "T027764", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_amq:streams_2.4.0" } } } ], "category": "product_name", "name": "JBoss A-MQ" }, { "branches": [ { "category": "product_version_range", "name": "\u003c 7.4.9", "product": { "name": "Red Hat JBoss Enterprise Application Platform \u003c 7.4.9", "product_id": "T026073", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4.9" } } } ], "category": "product_name", "name": "JBoss Enterprise Application Platform" }, { "branches": [ { "category": "product_version", "name": "container platform 4.0.51", "product": { "name": "Red Hat OpenShift container platform 4.0.51", "product_id": "T026183", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift:container_platform_4.0.51" } } } ], "category": "product_name", "name": "OpenShift" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2015-9251", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2015-9251" }, { "cve": "CVE-2016-10735", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2016-10735" }, { "cve": "CVE-2017-18214", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2017-18214" }, { "cve": "CVE-2018-14040", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2018-14040" }, { "cve": "CVE-2018-14041", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2018-14041" }, { "cve": "CVE-2018-14042", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2018-14042" }, { "cve": "CVE-2019-11358", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2019-11358" }, { "cve": "CVE-2019-8331", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2019-8331" }, { "cve": "CVE-2020-11022", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2020-11022" }, { "cve": "CVE-2020-11023", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2020-11023" }, { "cve": "CVE-2022-3143", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-3143" }, { "cve": "CVE-2022-40149", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-40149" }, { "cve": "CVE-2022-40150", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-40150" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-42003", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-42003" }, { "cve": "CVE-2022-42004", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-42004" }, { "cve": "CVE-2022-45047", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-45047" }, { "cve": "CVE-2022-45693", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-45693" }, { "cve": "CVE-2022-46364", "notes": [ { "category": "description", "text": "In Red Hat JBoss Enterprise Application Platform existieren mehrere Schwachstellen. Diese bestehen aufgrund von Fehlern in verschiedenen Komponenten. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Programmcode auszuf\u00fchren, ein Cross-Site-Scritping-Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Denial of Service Zustand herbeizuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen." } ], "product_status": { "known_affected": [ "T026183", "67646", "T001663", "T027764", "T030195", "T017562" ] }, "release_date": "2023-01-31T23:00:00Z", "title": "CVE-2022-46364" } ] }
wid-sec-w-2023-1808
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Oracle Financial Services ist eine Zusammenstellung von Anwendungen f\u00fcr den Finanzsektor und eine Technologiebasis zur Erf\u00fcllung von IT- und Gesch\u00e4ftsanforderungen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-1808 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1808.json" }, { "category": "self", "summary": "WID-SEC-2023-1808 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1808" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Financial Services Applications vom 2023-07-18", "url": "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixIFLX" } ], "source_lang": "en-US", "title": "Oracle Financial Services Applications: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-07-18T22:00:00.000+00:00", "generator": { "date": "2024-02-15T17:37:20.126+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-1808", "initial_release_date": "2023-07-18T22:00:00.000+00:00", "revision_history": [ { "date": "2023-07-18T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" } ], "status": "final", "version": "1" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Financial Services Applications 8.1.0", "product": { "name": "Oracle Financial Services Applications 8.1.0", "product_id": "T018983", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.1.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications \u003c= 14.3", "product": { "name": "Oracle Financial Services Applications \u003c= 14.3", "product_id": "T019887", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.3" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.1.1", "product": { "name": "Oracle Financial Services Applications 8.1.1", "product_id": "T019891", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.1.1" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.0.7", "product": { "name": "Oracle Financial Services Applications 8.0.7", "product_id": "T021676", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.0.7" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.0.8", "product": { "name": "Oracle Financial Services Applications 8.0.8", "product_id": "T021677", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.0.8" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.1.1.1", "product": { "name": "Oracle Financial Services Applications 8.1.1.1", "product_id": "T022835", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.1.1.1" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.0.8.1", "product": { "name": "Oracle Financial Services Applications 8.0.8.1", "product_id": "T022844", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.1" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.0.8.2", "product": { "name": "Oracle Financial Services Applications 8.0.8.2", "product_id": "T024990", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.0.8.2" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications \u003c= 14.7", "product": { "name": "Oracle Financial Services Applications \u003c= 14.7", "product_id": "T027348", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.7" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.1.2.4", "product": { "name": "Oracle Financial Services Applications 8.1.2.4", "product_id": "T027351", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.4" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.6", "product": { "name": "Oracle Financial Services Applications 14.6", "product_id": "T027355", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.6" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 18.2.0.0.0", "product": { "name": "Oracle Financial Services Applications 18.2.0.0.0", "product_id": "T028691", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:18.2.0.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 18.3.0.0.0", "product": { "name": "Oracle Financial Services Applications 18.3.0.0.0", "product_id": "T028692", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:18.3.0.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 19.1.0.0.0", "product": { "name": "Oracle Financial Services Applications 19.1.0.0.0", "product_id": "T028693", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:19.1.0.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 19.2.0.0.0", "product": { "name": "Oracle Financial Services Applications 19.2.0.0.0", "product_id": "T028694", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:19.2.0.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 21.1.0.0.0", "product": { "name": "Oracle Financial Services Applications 21.1.0.0.0", "product_id": "T028695", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:21.1.0.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 22.1.0.0.0", "product": { "name": "Oracle Financial Services Applications 22.1.0.0.0", "product_id": "T028696", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:22.1.0.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 22.2.0.0.0", "product": { "name": "Oracle Financial Services Applications 22.2.0.0.0", "product_id": "T028697", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:22.2.0.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.7.0.2.0", "product": { "name": "Oracle Financial Services Applications 14.7.0.2.0", "product_id": "T028698", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.7.0.2.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.7.1.0.0", "product": { "name": "Oracle Financial Services Applications 14.7.1.0.0", "product_id": "T028699", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.7.1.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.5.0.8.0", "product": { "name": "Oracle Financial Services Applications 14.5.0.8.0", "product_id": "T028700", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.5.0.8.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.6.0.4.0", "product": { "name": "Oracle Financial Services Applications 14.6.0.4.0", "product_id": "T028701", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.6.0.4.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.7.0.0.0", "product": { "name": "Oracle Financial Services Applications 14.7.0.0.0", "product_id": "T028702", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.7.0.0.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.6.0.3.0", "product": { "name": "Oracle Financial Services Applications 14.6.0.3.0", "product_id": "T028703", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.6.0.3.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.7.0.1.0", "product": { "name": "Oracle Financial Services Applications 14.7.0.1.0", "product_id": "T028704", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.7.0.1.0" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.1.2", "product": { "name": "Oracle Financial Services Applications 8.1.2", "product_id": "T028705", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.1.2" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 8.1.2.5", "product": { "name": "Oracle Financial Services Applications 8.1.2.5", "product_id": "T028706", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:8.1.2.5" } } }, { "category": "product_name", "name": "Oracle Financial Services Applications 14.7.0", "product": { "name": "Oracle Financial Services Applications 14.7.0", "product_id": "T028707", "product_identification_helper": { "cpe": "cpe:/a:oracle:financial_services_applications:14.7.0" } } } ], "category": "product_name", "name": "Financial Services Applications" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-28708", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-28708" }, { "cve": "CVE-2023-28439", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-28439" }, { "cve": "CVE-2023-25194", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-25194" }, { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-20863", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-20863" }, { "cve": "CVE-2023-20861", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-20861" }, { "cve": "CVE-2023-1436", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-1436" }, { "cve": "CVE-2023-1370", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2023-1370" }, { "cve": "CVE-2022-48285", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-48285" }, { "cve": "CVE-2022-46364", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-46364" }, { "cve": "CVE-2022-45693", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-45693" }, { "cve": "CVE-2022-45199", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-45199" }, { "cve": "CVE-2022-45143", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-45143" }, { "cve": "CVE-2022-45047", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-45047" }, { "cve": "CVE-2022-42890", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-42890" }, { "cve": "CVE-2022-42003", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-42003" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41881", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-41881" }, { "cve": "CVE-2022-36033", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-36033" }, { "cve": "CVE-2022-33879", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-33879" }, { "cve": "CVE-2022-3171", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-3171" }, { "cve": "CVE-2022-31692", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-31692" }, { "cve": "CVE-2022-31129", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-31129" }, { "cve": "CVE-2022-2048", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-2048" }, { "cve": "CVE-2022-1471", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2022-1471" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2021-37533" }, { "cve": "CVE-2020-13936", "notes": [ { "category": "description", "text": "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696" ], "last_affected": [ "T019887", "T027348" ] }, "release_date": "2023-07-18T22:00:00Z", "title": "CVE-2020-13936" } ] }
wid-sec-w-2023-1016
Vulnerability from csaf_certbund
Published
2023-04-18 22:00
Modified
2023-12-26 23:00
Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ "document": { "aggregate_severity": { "text": "hoch" }, "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "de-DE", "notes": [ { "category": "legal_disclaimer", "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen." }, { "category": "description", "text": "Oracle Fusion Middleware b\u00fcndelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", "title": "Produktbeschreibung" }, { "category": "summary", "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit zu gef\u00e4hrden.", "title": "Angriff" }, { "category": "general", "text": "- UNIX\n- Linux\n- Windows", "title": "Betroffene Betriebssysteme" } ], "publisher": { "category": "other", "contact_details": "csaf-provider@cert-bund.de", "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik", "namespace": "https://www.bsi.bund.de" }, "references": [ { "category": "self", "summary": "WID-SEC-W-2023-1016 - CSAF Version", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1016.json" }, { "category": "self", "summary": "WID-SEC-2023-1016 - Portal Version", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1016" }, { "category": "external", "summary": "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Fusion Middleware vom 2023-04-18", "url": "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixFMW" }, { "category": "external", "summary": "Dell Security Advisory DSA-2023-409 vom 2023-12-23", "url": "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=" } ], "source_lang": "en-US", "title": "Oracle Fusion Middleware: Mehrere Schwachstellen", "tracking": { "current_release_date": "2023-12-26T23:00:00.000+00:00", "generator": { "date": "2024-02-15T17:24:31.957+00:00", "engine": { "name": "BSI-WID", "version": "1.3.0" } }, "id": "WID-SEC-W-2023-1016", "initial_release_date": "2023-04-18T22:00:00.000+00:00", "revision_history": [ { "date": "2023-04-18T22:00:00.000+00:00", "number": "1", "summary": "Initiale Fassung" }, { "date": "2023-12-26T23:00:00.000+00:00", "number": "2", "summary": "Neue Updates von Dell aufgenommen" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Oracle Fusion Middleware 12.2.1.3.0", "product": { "name": "Oracle Fusion Middleware 12.2.1.3.0", "product_id": "618028", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.3.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 12.2.1.4.0", "product": { "name": "Oracle Fusion Middleware 12.2.1.4.0", "product_id": "751674", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:12.2.1.4.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 14.1.1.0.0", "product": { "name": "Oracle Fusion Middleware 14.1.1.0.0", "product_id": "829576", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:14.1.1.0.0" } } }, { "category": "product_name", "name": "Oracle Fusion Middleware 8.5.6", "product": { "name": "Oracle Fusion Middleware 8.5.6", "product_id": "T024993", "product_identification_helper": { "cpe": "cpe:/a:oracle:fusion_middleware:8.5.6" } } } ], "category": "product_name", "name": "Fusion Middleware" } ], "category": "vendor", "name": "Oracle" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-24998", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2023-24998" }, { "cve": "CVE-2023-22899", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2023-22899" }, { "cve": "CVE-2023-21996", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2023-21996" }, { "cve": "CVE-2023-21979", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2023-21979" }, { "cve": "CVE-2023-21964", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2023-21964" }, { "cve": "CVE-2023-21960", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2023-21960" }, { "cve": "CVE-2023-21956", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2023-21956" }, { "cve": "CVE-2023-21931", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2023-21931" }, { "cve": "CVE-2022-46908", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-46908" }, { "cve": "CVE-2022-45693", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-45693" }, { "cve": "CVE-2022-45685", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-45685" }, { "cve": "CVE-2022-45047", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-45047" }, { "cve": "CVE-2022-43551", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-43551" }, { "cve": "CVE-2022-42890", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-42890" }, { "cve": "CVE-2022-42003", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-42003" }, { "cve": "CVE-2022-41966", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-41966" }, { "cve": "CVE-2022-41881", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-41881" }, { "cve": "CVE-2022-40304", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-40304" }, { "cve": "CVE-2022-40152", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-40152" }, { "cve": "CVE-2022-40151", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-40151" }, { "cve": "CVE-2022-40149", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-40149" }, { "cve": "CVE-2022-37434", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-37434" }, { "cve": "CVE-2022-36033", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-36033" }, { "cve": "CVE-2022-34305", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-34305" }, { "cve": "CVE-2022-33980", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-33980" }, { "cve": "CVE-2022-31160", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-31160" }, { "cve": "CVE-2022-29599", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-29599" }, { "cve": "CVE-2022-22965", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2022-22965" }, { "cve": "CVE-2021-37533", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2021-37533" }, { "cve": "CVE-2021-36374", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2021-36374" }, { "cve": "CVE-2021-36090", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2021-36090" }, { "cve": "CVE-2021-34798", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2021-34798" }, { "cve": "CVE-2021-31684", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2021-31684" }, { "cve": "CVE-2021-22569", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2021-22569" }, { "cve": "CVE-2020-6950", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2020-6950" }, { "cve": "CVE-2020-25638", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2020-25638" }, { "cve": "CVE-2020-13954", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2020-13954" }, { "cve": "CVE-2019-20916", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2019-20916" }, { "cve": "CVE-2018-14371", "notes": [ { "category": "description", "text": "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrit\u00e4t und Verf\u00fcgbarkeit gef\u00e4hrden. F\u00fcr die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle ver\u00f6ffentlicht keine weiteren Details zu diesen Schwachstellen (au\u00dfer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadensh\u00f6he ausschlie\u00dflich auf Basis der CVSS Impact Matrix. Der Maximalwert f\u00fcr diese Produkte ist \"HIGH\" f\u00fcr \"Confidentiality\", \"Integrity\" und \"Availability\" \u00fcber alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" f\u00fcr die Schadensh\u00f6he." } ], "product_status": { "known_affected": [ "T024993", "618028", "751674", "829576" ] }, "release_date": "2023-04-18T22:00:00Z", "title": "CVE-2018-14371" } ] }
gsd-2022-45693
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2022-45693", "description": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.", "id": "GSD-2022-45693", "references": [ "https://www.debian.org/security/2023/dsa-5312", "https://www.suse.com/security/cve/CVE-2022-45693.html", "https://access.redhat.com/errata/RHSA-2023:0544", "https://access.redhat.com/errata/RHSA-2023:0552", "https://access.redhat.com/errata/RHSA-2023:0553", "https://access.redhat.com/errata/RHSA-2023:0554", "https://access.redhat.com/errata/RHSA-2023:0556", "https://access.redhat.com/errata/RHSA-2023:1043", "https://access.redhat.com/errata/RHSA-2023:1044", "https://access.redhat.com/errata/RHSA-2023:1045", "https://access.redhat.com/errata/RHSA-2023:1047", "https://access.redhat.com/errata/RHSA-2023:1049" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2022-45693" ], "details": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.", "id": "GSD-2022-45693", "modified": "2023-12-13T01:19:24.469717Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-45693", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/jettison-json/jettison/issues/52", "refsource": "MISC", "url": "https://github.com/jettison-json/jettison/issues/52" }, { "name": "[debian-lts-announce] 20221231 [SECURITY] [DLA 3259-1] libjettison-java security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" }, { "name": "DSA-5312", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2023/dsa-5312" } ] } }, "gitlab.com": { "advisories": [ { "affected_range": "(,1.5.2)", "affected_versions": "All versions before 1.5.2", "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cwe_ids": [ "CWE-1035", "CWE-787", "CWE-937" ], "date": "2023-01-04", "description": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.", "fixed_versions": [ "1.5.2" ], "identifier": "CVE-2022-45693", "identifiers": [ "GHSA-grr4-wv38-f68w", "CVE-2022-45693" ], "not_impacted": "All versions starting from 1.5.2", "package_slug": "maven/org.codehaus.jettison/jettison", "pubdate": "2022-12-13", "solution": "Upgrade to version 1.5.2 or above.", "title": "Out-of-bounds Write", "urls": [ "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", "https://github.com/jettison-json/jettison/issues/52", "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html", "https://github.com/advisories/GHSA-grr4-wv38-f68w" ], "uuid": "11cb888c-4183-4eff-9405-1327a1d7d1e6" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:jettison_project:jettison:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "1.5.2", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-45693" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-787" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/jettison-json/jettison/issues/52", "refsource": "MISC", "tags": [ "Exploit", "Issue Tracking", "Third Party Advisory" ], "url": "https://github.com/jettison-json/jettison/issues/52" }, { "name": "[debian-lts-announce] 20221231 [SECURITY] [DLA 3259-1] libjettison-java security update", "refsource": "MLIST", "tags": [ "Mailing List", "Third Party Advisory" ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" }, { "name": "DSA-5312", "refsource": "DEBIAN", "tags": [ "Third Party Advisory" ], "url": "https://www.debian.org/security/2023/dsa-5312" } ] } }, "impact": { "baseMetricV3": { "cvssV3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "exploitabilityScore": 3.9, "impactScore": 3.6 } }, "lastModifiedDate": "2023-01-26T17:35Z", "publishedDate": "2022-12-13T15:15Z" } } }
ghsa-grr4-wv38-f68w
Vulnerability from github
Published
2022-12-13 15:30
Modified
2023-01-04 14:25
Severity ?
Summary
Jettison Out-of-bounds Write vulnerability
Details
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.codehaus.jettison:jettison" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.5.2" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-45693" ], "database_specific": { "cwe_ids": [ "CWE-787" ], "github_reviewed": true, "github_reviewed_at": "2023-01-04T14:25:45Z", "nvd_published_at": "2022-12-13T15:15:00Z", "severity": "HIGH" }, "details": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.", "id": "GHSA-grr4-wv38-f68w", "modified": "2023-01-04T14:25:45Z", "published": "2022-12-13T15:30:27Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" }, { "type": "WEB", "url": "https://github.com/jettison-json/jettison/issues/52" }, { "type": "PACKAGE", "url": "https://github.com/jettison-json/jettison" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5312" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" } ], "summary": "Jettison Out-of-bounds Write vulnerability" }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.