Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2023-0044
Vulnerability from cvelistv5
Published
2023-02-23 00:00
Modified
2025-03-12 14:32
Severity ?
EPSS score ?
Summary
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-0044 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2158081 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-0044 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2158081 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | quarkus-vertx-http |
Version: 1.11.7 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.575Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { tags: [ "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-0044", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-03-12T14:32:02.975305Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-03-12T14:32:14.395Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "quarkus-vertx-http", vendor: "n/a", versions: [ { status: "affected", version: "1.11.7", }, ], }, ], descriptions: [ { lang: "en", value: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", }, ], problemTypes: [ { descriptions: [ { description: "cross-site attack", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-02-23T00:00:00.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-0044", datePublished: "2023-02-23T00:00:00.000Z", dateReserved: "2023-01-04T00:00:00.000Z", dateUpdated: "2025-03-12T14:32:14.395Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.13.7\", \"matchCriteriaId\": \"9CDB1115-A9F5-46F0-AB03-BBEFD72FA293\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.\"}]", id: "CVE-2023-0044", lastModified: "2024-11-21T07:36:27.050", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}]}", published: "2023-02-23T20:15:12.823", references: "[{\"url\": \"https://access.redhat.com/security/cve/CVE-2023-0044\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2158081\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2023-0044\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2158081\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}]", sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2023-0044\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2023-02-23T20:15:12.823\",\"lastModified\":\"2024-11-21T07:36:27.050\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.13.7\",\"matchCriteriaId\":\"9CDB1115-A9F5-46F0-AB03-BBEFD72FA293\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2023-0044\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2158081\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2023-0044\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2158081\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2023-0044\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2158081\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T04:54:32.575Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-0044\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-12T14:32:02.975305Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-12T14:32:09.589Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"n/a\", \"product\": \"quarkus-vertx-http\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.11.7\"}]}], \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2023-0044\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2158081\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"cross-site attack\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2023-02-23T00:00:00.000Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2023-0044\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-12T14:32:14.395Z\", \"dateReserved\": \"2023-01-04T00:00:00.000Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2023-02-23T00:00:00.000Z\", \"assignerShortName\": \"redhat\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
gsd-2023-0044
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.
Aliases
Aliases
{ GSD: { alias: "CVE-2023-0044", id: "GSD-2023-0044", references: [ "https://access.redhat.com/errata/RHSA-2023:0758", "https://access.redhat.com/errata/RHSA-2023:1006", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2023-0044", ], details: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", id: "GSD-2023-0044", modified: "2023-12-13T01:20:22.443035Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2023-0044", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "quarkus-vertx-http", version: { version_data: [ { version_value: "1.11.7", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "cross-site attack", }, ], }, ], }, references: { reference_data: [ { name: "https://access.redhat.com/security/cve/CVE-2023-0044", refsource: "MISC", url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "(,2.13.7.Final)", affected_versions: "All versions before 2.13.7.final", cwe_ids: [ "CWE-1035", "CWE-352", "CWE-937", ], date: "2023-02-23", description: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", fixed_versions: [ "2.13.7.Final", ], identifier: "CVE-2023-0044", identifiers: [ "GHSA-c57v-hc7m-8px2", "CVE-2023-0044", ], not_impacted: "All versions starting from 2.13.7.final", package_slug: "maven/io.quarkus/quarkus-vertx-http", pubdate: "2023-02-23", solution: "Upgrade to version 2.13.7.Final or above.", title: "Cross-Site Request Forgery (CSRF)", urls: [ "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", "https://access.redhat.com/security/cve/CVE-2023-0044", "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", "https://github.com/advisories/GHSA-c57v-hc7m-8px2", ], uuid: "49449966-350d-41da-9327-edc5ea455a7e", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", cpe_name: [], versionEndExcluding: "2.13.7", vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2023-0044", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-79", }, ], }, ], }, references: { reference_data: [ { name: "https://access.redhat.com/security/cve/CVE-2023-0044", refsource: "MISC", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", refsource: "MISC", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, ], }, }, impact: { baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, }, }, lastModifiedDate: "2023-03-03T15:58Z", publishedDate: "2023-02-23T20:15Z", }, }, }
RHSA-2023:1006
Vulnerability from csaf_redhat
Published
2023-03-08 14:54
Modified
2025-03-14 22:31
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed
in the References section.
Security Fix(es):
*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]
*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]
*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]
*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]
*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]
*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]
*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]
*CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7]
*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed\nin the References section.\n\nSecurity Fix(es):\n\n*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]\n\n*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]\n\n*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]\n\n*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]\n\n*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]\n\n*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]\n\n*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]\n\n*CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7]\n\n*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:1006", url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/articles/4966181", url: "https://access.redhat.com/articles/4966181", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7", }, { category: "external", summary: "2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "QUARKUS-2593", url: "https://issues.redhat.com/browse/QUARKUS-2593", }, { category: "external", summary: "QUARKUS-2705", url: "https://issues.redhat.com/browse/QUARKUS-2705", }, { category: "external", summary: "QUARKUS-2852", url: "https://issues.redhat.com/browse/QUARKUS-2852", }, { category: "external", summary: "QUARKUS-2854", url: "https://issues.redhat.com/browse/QUARKUS-2854", }, { category: "external", summary: "QUARKUS-2855", url: "https://issues.redhat.com/browse/QUARKUS-2855", }, { category: "external", summary: "QUARKUS-2856", url: "https://issues.redhat.com/browse/QUARKUS-2856", }, { category: "external", summary: "QUARKUS-2861", url: "https://issues.redhat.com/browse/QUARKUS-2861", }, { category: "external", summary: "QUARKUS-2862", url: "https://issues.redhat.com/browse/QUARKUS-2862", }, { category: "external", summary: "QUARKUS-2864", url: "https://issues.redhat.com/browse/QUARKUS-2864", }, { category: "external", summary: "QUARKUS-2865", url: "https://issues.redhat.com/browse/QUARKUS-2865", }, { category: "external", summary: "QUARKUS-2866", url: "https://issues.redhat.com/browse/QUARKUS-2866", }, { category: "external", summary: "QUARKUS-2867", url: "https://issues.redhat.com/browse/QUARKUS-2867", }, { category: "external", summary: "QUARKUS-2869", url: "https://issues.redhat.com/browse/QUARKUS-2869", }, { category: "external", summary: "QUARKUS-2871", url: "https://issues.redhat.com/browse/QUARKUS-2871", }, { category: "external", summary: "QUARKUS-2872", url: "https://issues.redhat.com/browse/QUARKUS-2872", }, { category: "external", summary: "QUARKUS-2873", url: "https://issues.redhat.com/browse/QUARKUS-2873", }, { category: "external", summary: "QUARKUS-2874", url: "https://issues.redhat.com/browse/QUARKUS-2874", }, { category: "external", summary: "QUARKUS-2876", url: "https://issues.redhat.com/browse/QUARKUS-2876", }, { category: "external", summary: "QUARKUS-2877", url: "https://issues.redhat.com/browse/QUARKUS-2877", }, { category: "external", summary: "QUARKUS-2879", url: "https://issues.redhat.com/browse/QUARKUS-2879", }, { category: "external", summary: "QUARKUS-2880", url: "https://issues.redhat.com/browse/QUARKUS-2880", }, { category: "external", summary: "QUARKUS-2882", url: "https://issues.redhat.com/browse/QUARKUS-2882", }, { category: "external", summary: "QUARKUS-2883", url: "https://issues.redhat.com/browse/QUARKUS-2883", }, { category: "external", summary: "QUARKUS-2884", url: "https://issues.redhat.com/browse/QUARKUS-2884", }, { category: "external", summary: "QUARKUS-2885", url: "https://issues.redhat.com/browse/QUARKUS-2885", }, { category: "external", summary: "QUARKUS-2886", url: "https://issues.redhat.com/browse/QUARKUS-2886", }, { category: "external", summary: "QUARKUS-2887", url: "https://issues.redhat.com/browse/QUARKUS-2887", }, { category: "external", summary: "QUARKUS-2888", url: "https://issues.redhat.com/browse/QUARKUS-2888", }, { category: "external", summary: "QUARKUS-2889", url: "https://issues.redhat.com/browse/QUARKUS-2889", }, { category: "external", summary: "QUARKUS-2893", url: "https://issues.redhat.com/browse/QUARKUS-2893", }, { category: "external", summary: "QUARKUS-2895", url: "https://issues.redhat.com/browse/QUARKUS-2895", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1006.json", }, ], title: "Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update", tracking: { current_release_date: "2025-03-14T22:31:24+00:00", generator: { date: "2025-03-14T22:31:24+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:1006", initial_release_date: "2023-03-08T14:54:57+00:00", revision_history: [ { date: "2023-03-08T14:54:57+00:00", number: "1", summary: "Initial version", }, { date: "2023-03-08T14:54:57+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T22:31:24+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Quarkus 2.7.7", product: { name: "Red Hat build of Quarkus 2.7.7", product_id: "Red Hat build of Quarkus 2.7.7", product_identification_helper: { cpe: "cpe:/a:redhat:quarkus:2.7", }, }, }, ], category: "product_family", name: "Red Hat build of Quarkus", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-31197", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2022-09-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129428", }, ], notes: [ { category: "description", text: "A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.", title: "Vulnerability description", }, { category: "summary", text: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", title: "Vulnerability summary", }, { category: "other", text: "User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be presented soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31197", }, { category: "external", summary: "RHBZ#2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31197", url: "https://www.cve.org/CVERecord?id=CVE-2022-31197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", }, { category: "external", summary: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", }, ], release_date: "2022-08-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { acknowledgments: [ { names: [ "Paulo Lopes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2023-0044", discovery_date: "2023-01-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158081", }, ], notes: [ { category: "description", text: "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { category: "external", summary: "RHBZ#2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0044", url: "https://www.cve.org/CVERecord?id=CVE-2023-0044", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", }, { category: "external", summary: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", url: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", }, ], release_date: "2023-01-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "workaround", details: "This attack can be prevented with the Quarkus CSRF Prevention feature.", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", }, ], }
rhsa-2023:0758
Vulnerability from csaf_redhat
Published
2023-02-14 12:11
Modified
2025-03-14 22:31
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]
* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]
* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]
* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]
* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of\nModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a\ndetailed severity rating, is available for each vulnerability. For more\ninformation, see the CVE links in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]\n\n* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]\n\n* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]\n\n* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]\n\n* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:0758", url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.13.7", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.13.7", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/", url: "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/", }, { category: "external", summary: "https://access.redhat.com/articles/4966181", url: "https://access.redhat.com/articles/4966181", }, { category: "external", summary: "2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0758.json", }, ], title: "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update", tracking: { current_release_date: "2025-03-14T22:31:06+00:00", generator: { date: "2025-03-14T22:31:06+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:0758", initial_release_date: "2023-02-14T12:11:49+00:00", revision_history: [ { date: "2023-02-14T12:11:49+00:00", number: "1", summary: "Initial version", }, { date: "2023-02-14T12:11:49+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T22:31:06+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Quarkus", product: { name: "Red Hat build of Quarkus", product_id: "Red Hat build of Quarkus", product_identification_helper: { cpe: "cpe:/a:redhat:quarkus:2.13", }, }, }, ], category: "product_family", name: "Red Hat build of Quarkus", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-45047", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145194", }, ], notes: [ { category: "description", text: "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", title: "Vulnerability description", }, { category: "summary", text: "mina-sshd: Java unsafe deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Impact as High as there's a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it's very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45047", }, { category: "external", summary: "RHBZ#2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45047", url: "https://www.cve.org/CVERecord?id=CVE-2022-45047", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", }, { category: "external", summary: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", url: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", }, ], release_date: "2022-11-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "workaround", details: "From the maintainer:\n\nFor Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", product_ids: [ "Red Hat build of Quarkus", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "mina-sshd: Java unsafe deserialization vulnerability", }, { acknowledgments: [ { names: [ "Paulo Lopes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2023-0044", discovery_date: "2023-01-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158081", }, ], notes: [ { category: "description", text: "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { category: "external", summary: "RHBZ#2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0044", url: "https://www.cve.org/CVERecord?id=CVE-2023-0044", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", }, { category: "external", summary: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", url: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", }, ], release_date: "2023-01-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "workaround", details: "This attack can be prevented with the Quarkus CSRF Prevention feature.", product_ids: [ "Red Hat build of Quarkus", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", }, ], }
rhsa-2023:1006
Vulnerability from csaf_redhat
Published
2023-03-08 14:54
Modified
2025-03-14 22:31
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed
in the References section.
Security Fix(es):
*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]
*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]
*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]
*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]
*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]
*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]
*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]
*CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7]
*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed\nin the References section.\n\nSecurity Fix(es):\n\n*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]\n\n*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]\n\n*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]\n\n*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]\n\n*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]\n\n*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]\n\n*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]\n\n*CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7]\n\n*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:1006", url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/articles/4966181", url: "https://access.redhat.com/articles/4966181", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7", }, { category: "external", summary: "2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "QUARKUS-2593", url: "https://issues.redhat.com/browse/QUARKUS-2593", }, { category: "external", summary: "QUARKUS-2705", url: "https://issues.redhat.com/browse/QUARKUS-2705", }, { category: "external", summary: "QUARKUS-2852", url: "https://issues.redhat.com/browse/QUARKUS-2852", }, { category: "external", summary: "QUARKUS-2854", url: "https://issues.redhat.com/browse/QUARKUS-2854", }, { category: "external", summary: "QUARKUS-2855", url: "https://issues.redhat.com/browse/QUARKUS-2855", }, { category: "external", summary: "QUARKUS-2856", url: "https://issues.redhat.com/browse/QUARKUS-2856", }, { category: "external", summary: "QUARKUS-2861", url: "https://issues.redhat.com/browse/QUARKUS-2861", }, { category: "external", summary: "QUARKUS-2862", url: "https://issues.redhat.com/browse/QUARKUS-2862", }, { category: "external", summary: "QUARKUS-2864", url: "https://issues.redhat.com/browse/QUARKUS-2864", }, { category: "external", summary: "QUARKUS-2865", url: "https://issues.redhat.com/browse/QUARKUS-2865", }, { category: "external", summary: "QUARKUS-2866", url: "https://issues.redhat.com/browse/QUARKUS-2866", }, { category: "external", summary: "QUARKUS-2867", url: "https://issues.redhat.com/browse/QUARKUS-2867", }, { category: "external", summary: "QUARKUS-2869", url: "https://issues.redhat.com/browse/QUARKUS-2869", }, { category: "external", summary: "QUARKUS-2871", url: "https://issues.redhat.com/browse/QUARKUS-2871", }, { category: "external", summary: "QUARKUS-2872", url: "https://issues.redhat.com/browse/QUARKUS-2872", }, { category: "external", summary: "QUARKUS-2873", url: "https://issues.redhat.com/browse/QUARKUS-2873", }, { category: "external", summary: "QUARKUS-2874", url: "https://issues.redhat.com/browse/QUARKUS-2874", }, { category: "external", summary: "QUARKUS-2876", url: "https://issues.redhat.com/browse/QUARKUS-2876", }, { category: "external", summary: "QUARKUS-2877", url: "https://issues.redhat.com/browse/QUARKUS-2877", }, { category: "external", summary: "QUARKUS-2879", url: "https://issues.redhat.com/browse/QUARKUS-2879", }, { category: "external", summary: "QUARKUS-2880", url: "https://issues.redhat.com/browse/QUARKUS-2880", }, { category: "external", summary: "QUARKUS-2882", url: "https://issues.redhat.com/browse/QUARKUS-2882", }, { category: "external", summary: "QUARKUS-2883", url: "https://issues.redhat.com/browse/QUARKUS-2883", }, { category: "external", summary: "QUARKUS-2884", url: "https://issues.redhat.com/browse/QUARKUS-2884", }, { category: "external", summary: "QUARKUS-2885", url: "https://issues.redhat.com/browse/QUARKUS-2885", }, { category: "external", summary: "QUARKUS-2886", url: "https://issues.redhat.com/browse/QUARKUS-2886", }, { category: "external", summary: "QUARKUS-2887", url: "https://issues.redhat.com/browse/QUARKUS-2887", }, { category: "external", summary: "QUARKUS-2888", url: "https://issues.redhat.com/browse/QUARKUS-2888", }, { category: "external", summary: "QUARKUS-2889", url: "https://issues.redhat.com/browse/QUARKUS-2889", }, { category: "external", summary: "QUARKUS-2893", url: "https://issues.redhat.com/browse/QUARKUS-2893", }, { category: "external", summary: "QUARKUS-2895", url: "https://issues.redhat.com/browse/QUARKUS-2895", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1006.json", }, ], title: "Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update", tracking: { current_release_date: "2025-03-14T22:31:24+00:00", generator: { date: "2025-03-14T22:31:24+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:1006", initial_release_date: "2023-03-08T14:54:57+00:00", revision_history: [ { date: "2023-03-08T14:54:57+00:00", number: "1", summary: "Initial version", }, { date: "2023-03-08T14:54:57+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T22:31:24+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Quarkus 2.7.7", product: { name: "Red Hat build of Quarkus 2.7.7", product_id: "Red Hat build of Quarkus 2.7.7", product_identification_helper: { cpe: "cpe:/a:redhat:quarkus:2.7", }, }, }, ], category: "product_family", name: "Red Hat build of Quarkus", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-31197", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2022-09-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129428", }, ], notes: [ { category: "description", text: "A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.", title: "Vulnerability description", }, { category: "summary", text: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", title: "Vulnerability summary", }, { category: "other", text: "User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be presented soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31197", }, { category: "external", summary: "RHBZ#2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31197", url: "https://www.cve.org/CVERecord?id=CVE-2022-31197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", }, { category: "external", summary: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", }, ], release_date: "2022-08-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { acknowledgments: [ { names: [ "Paulo Lopes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2023-0044", discovery_date: "2023-01-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158081", }, ], notes: [ { category: "description", text: "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { category: "external", summary: "RHBZ#2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0044", url: "https://www.cve.org/CVERecord?id=CVE-2023-0044", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", }, { category: "external", summary: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", url: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", }, ], release_date: "2023-01-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "workaround", details: "This attack can be prevented with the Quarkus CSRF Prevention feature.", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", }, ], }
rhsa-2023_0758
Vulnerability from csaf_redhat
Published
2023-02-14 12:11
Modified
2024-12-17 23:01
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]
* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]
* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]
* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]
* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of\nModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a\ndetailed severity rating, is available for each vulnerability. For more\ninformation, see the CVE links in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]\n\n* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]\n\n* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]\n\n* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]\n\n* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:0758", url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.13.7", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.13.7", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/", url: "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/", }, { category: "external", summary: "https://access.redhat.com/articles/4966181", url: "https://access.redhat.com/articles/4966181", }, { category: "external", summary: "2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0758.json", }, ], title: "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update", tracking: { current_release_date: "2024-12-17T23:01:10+00:00", generator: { date: "2024-12-17T23:01:10+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:0758", initial_release_date: "2023-02-14T12:11:49+00:00", revision_history: [ { date: "2023-02-14T12:11:49+00:00", number: "1", summary: "Initial version", }, { date: "2023-02-14T12:11:49+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T23:01:10+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Quarkus", product: { name: "Red Hat build of Quarkus", product_id: "Red Hat build of Quarkus", product_identification_helper: { cpe: "cpe:/a:redhat:quarkus:2.13", }, }, }, ], category: "product_family", name: "Red Hat build of Quarkus", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-45047", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145194", }, ], notes: [ { category: "description", text: "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", title: "Vulnerability description", }, { category: "summary", text: "mina-sshd: Java unsafe deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Impact as High as there's a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it's very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45047", }, { category: "external", summary: "RHBZ#2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45047", url: "https://www.cve.org/CVERecord?id=CVE-2022-45047", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", }, { category: "external", summary: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", url: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", }, ], release_date: "2022-11-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "workaround", details: "From the maintainer:\n\nFor Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", product_ids: [ "Red Hat build of Quarkus", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "mina-sshd: Java unsafe deserialization vulnerability", }, { acknowledgments: [ { names: [ "Paulo Lopes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2023-0044", discovery_date: "2023-01-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158081", }, ], notes: [ { category: "description", text: "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { category: "external", summary: "RHBZ#2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0044", url: "https://www.cve.org/CVERecord?id=CVE-2023-0044", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", }, { category: "external", summary: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", url: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", }, ], release_date: "2023-01-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "workaround", details: "This attack can be prevented with the Quarkus CSRF Prevention feature.", product_ids: [ "Red Hat build of Quarkus", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", }, ], }
RHSA-2023:0758
Vulnerability from csaf_redhat
Published
2023-02-14 12:11
Modified
2025-03-14 22:31
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus.
Red Hat Product Security has rated this update as having a security impact of
Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a
detailed severity rating, is available for each vulnerability. For more
information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed in the References section.
Security Fix(es):
* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]
* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]
* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]
* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]
* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat build of Quarkus.\n\nRed Hat Product Security has rated this update as having a security impact of\nModerate. A Common Vulnerability Scoring System (CVSS) base score, which gives a\ndetailed severity rating, is available for each vulnerability. For more\ninformation, see the CVE links in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat build of Quarkus 2.13.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2.13]\n\n* CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS [quarkus-2.13]\n\n* CVE-2022-45047 sshd-common: mina-sshd: Java unsafe deserialization vulnerability [quarkus-2.13]\n\n* CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2.13]\n\n* CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2.13]\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:0758", url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.13.7", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=redhat.quarkus&downloadType=distributions&version=2.13.7", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/", url: "https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/2.13/", }, { category: "external", summary: "https://access.redhat.com/articles/4966181", url: "https://access.redhat.com/articles/4966181", }, { category: "external", summary: "2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0758.json", }, ], title: "Red Hat Security Advisory: Red Hat build of Quarkus 2.13.7 release and security update", tracking: { current_release_date: "2025-03-14T22:31:06+00:00", generator: { date: "2025-03-14T22:31:06+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:0758", initial_release_date: "2023-02-14T12:11:49+00:00", revision_history: [ { date: "2023-02-14T12:11:49+00:00", number: "1", summary: "Initial version", }, { date: "2023-02-14T12:11:49+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T22:31:06+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Quarkus", product: { name: "Red Hat build of Quarkus", product_id: "Red Hat build of Quarkus", product_identification_helper: { cpe: "cpe:/a:redhat:quarkus:2.13", }, }, }, ], category: "product_family", name: "Red Hat build of Quarkus", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-45047", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145194", }, ], notes: [ { category: "description", text: "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", title: "Vulnerability description", }, { category: "summary", text: "mina-sshd: Java unsafe deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Impact as High as there's a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it's very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45047", }, { category: "external", summary: "RHBZ#2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45047", url: "https://www.cve.org/CVERecord?id=CVE-2022-45047", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", }, { category: "external", summary: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", url: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", }, ], release_date: "2022-11-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "workaround", details: "From the maintainer:\n\nFor Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", product_ids: [ "Red Hat build of Quarkus", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "mina-sshd: Java unsafe deserialization vulnerability", }, { acknowledgments: [ { names: [ "Paulo Lopes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2023-0044", discovery_date: "2023-01-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158081", }, ], notes: [ { category: "description", text: "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { category: "external", summary: "RHBZ#2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0044", url: "https://www.cve.org/CVERecord?id=CVE-2023-0044", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", }, { category: "external", summary: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", url: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", }, ], release_date: "2023-01-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-02-14T12:11:49+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "workaround", details: "This attack can be prevented with the Quarkus CSRF Prevention feature.", product_ids: [ "Red Hat build of Quarkus", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", }, ], }
rhsa-2023_1006
Vulnerability from csaf_redhat
Published
2023-03-08 14:54
Modified
2024-12-17 23:02
Summary
Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update
Notes
Topic
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.
Details
This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug
fixes, and enhancements. For more information, see the release notes page listed
in the References section.
Security Fix(es):
*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]
*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]
*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]
*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]
*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]
*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]
*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]
*CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7]
*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability. For more information, see the CVE links in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat build of Quarkus 2.7.7 includes security updates, bug\nfixes, and enhancements. For more information, see the release notes page listed\nin the References section.\n\nSecurity Fix(es):\n\n*CVE-2023-0044 quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure [quarkus-2]\n\n*CVE-2022-41946 jdbc-postgresql: postgresql-jdbc: PreparedStatement.setText(int, InputStream) will create a temporary file if the InputStream is larger than 2k [quarkus-2]\n\n*CVE-2022-31197 postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names [quarkus-2.7]\n\n*CVE-2022-42004 jackson-databind: use of deeply nested arrays [quarkus-2.7]\n\n*CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [quarkus-2.7]\n\n*CVE-2022-42889 commons-text: apache-commons-text: variable interpolation RCE [quarkus-2.7]\n\n*CVE-2022-1471 snakeyaml: Constructor Deserialization Remote Code Execution [quarkus-2]\n\n*CVE-2022-41966 xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow [quarkus-2.7]\n\n*CVE-2022-3171 protobuf-java: timeout in parser leads to DoS [quarkus-2]", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:1006", url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/articles/4966181", url: "https://access.redhat.com/articles/4966181", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=redhat.quarkus&version=2.7.7", }, { category: "external", summary: "2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "QUARKUS-2593", url: "https://issues.redhat.com/browse/QUARKUS-2593", }, { category: "external", summary: "QUARKUS-2705", url: "https://issues.redhat.com/browse/QUARKUS-2705", }, { category: "external", summary: "QUARKUS-2852", url: "https://issues.redhat.com/browse/QUARKUS-2852", }, { category: "external", summary: "QUARKUS-2854", url: "https://issues.redhat.com/browse/QUARKUS-2854", }, { category: "external", summary: "QUARKUS-2855", url: "https://issues.redhat.com/browse/QUARKUS-2855", }, { category: "external", summary: "QUARKUS-2856", url: "https://issues.redhat.com/browse/QUARKUS-2856", }, { category: "external", summary: "QUARKUS-2861", url: "https://issues.redhat.com/browse/QUARKUS-2861", }, { category: "external", summary: "QUARKUS-2862", url: "https://issues.redhat.com/browse/QUARKUS-2862", }, { category: "external", summary: "QUARKUS-2864", url: "https://issues.redhat.com/browse/QUARKUS-2864", }, { category: "external", summary: "QUARKUS-2865", url: "https://issues.redhat.com/browse/QUARKUS-2865", }, { category: "external", summary: "QUARKUS-2866", url: "https://issues.redhat.com/browse/QUARKUS-2866", }, { category: "external", summary: "QUARKUS-2867", url: "https://issues.redhat.com/browse/QUARKUS-2867", }, { category: "external", summary: "QUARKUS-2869", url: "https://issues.redhat.com/browse/QUARKUS-2869", }, { category: "external", summary: "QUARKUS-2871", url: "https://issues.redhat.com/browse/QUARKUS-2871", }, { category: "external", summary: "QUARKUS-2872", url: "https://issues.redhat.com/browse/QUARKUS-2872", }, { category: "external", summary: "QUARKUS-2873", url: "https://issues.redhat.com/browse/QUARKUS-2873", }, { category: "external", summary: "QUARKUS-2874", url: "https://issues.redhat.com/browse/QUARKUS-2874", }, { category: "external", summary: "QUARKUS-2876", url: "https://issues.redhat.com/browse/QUARKUS-2876", }, { category: "external", summary: "QUARKUS-2877", url: "https://issues.redhat.com/browse/QUARKUS-2877", }, { category: "external", summary: "QUARKUS-2879", url: "https://issues.redhat.com/browse/QUARKUS-2879", }, { category: "external", summary: "QUARKUS-2880", url: "https://issues.redhat.com/browse/QUARKUS-2880", }, { category: "external", summary: "QUARKUS-2882", url: "https://issues.redhat.com/browse/QUARKUS-2882", }, { category: "external", summary: "QUARKUS-2883", url: "https://issues.redhat.com/browse/QUARKUS-2883", }, { category: "external", summary: "QUARKUS-2884", url: "https://issues.redhat.com/browse/QUARKUS-2884", }, { category: "external", summary: "QUARKUS-2885", url: "https://issues.redhat.com/browse/QUARKUS-2885", }, { category: "external", summary: "QUARKUS-2886", url: "https://issues.redhat.com/browse/QUARKUS-2886", }, { category: "external", summary: "QUARKUS-2887", url: "https://issues.redhat.com/browse/QUARKUS-2887", }, { category: "external", summary: "QUARKUS-2888", url: "https://issues.redhat.com/browse/QUARKUS-2888", }, { category: "external", summary: "QUARKUS-2889", url: "https://issues.redhat.com/browse/QUARKUS-2889", }, { category: "external", summary: "QUARKUS-2893", url: "https://issues.redhat.com/browse/QUARKUS-2893", }, { category: "external", summary: "QUARKUS-2895", url: "https://issues.redhat.com/browse/QUARKUS-2895", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1006.json", }, ], title: "Red Hat Security Advisory: Red Hat build of Quarkus 2.7.7 release and security update", tracking: { current_release_date: "2024-12-17T23:02:32+00:00", generator: { date: "2024-12-17T23:02:32+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:1006", initial_release_date: "2023-03-08T14:54:57+00:00", revision_history: [ { date: "2023-03-08T14:54:57+00:00", number: "1", summary: "Initial version", }, { date: "2023-03-08T14:54:57+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T23:02:32+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Quarkus 2.7.7", product: { name: "Red Hat build of Quarkus 2.7.7", product_id: "Red Hat build of Quarkus 2.7.7", product_identification_helper: { cpe: "cpe:/a:redhat:quarkus:2.7", }, }, }, ], category: "product_family", name: "Red Hat build of Quarkus", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.2, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-31197", cwe: { id: "CWE-89", name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, discovery_date: "2022-09-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129428", }, ], notes: [ { category: "description", text: "A flaw was found in PostgresQL. This flaw allows an attacker to benefit from a miss escaping character and leads to a SQL injection attack due to Java.sql.ResultRow.refreshRow() implementation from PGSQL.", title: "Vulnerability description", }, { category: "summary", text: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", title: "Vulnerability summary", }, { category: "other", text: "User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be presented soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31197", }, { category: "external", summary: "RHBZ#2129428", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129428", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31197", url: "https://www.cve.org/CVERecord?id=CVE-2022-31197", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31197", }, { category: "external", summary: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", url: "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2", }, ], release_date: "2022-08-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql: SQL Injection in ResultSet.refreshRow() with malicious column names", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { acknowledgments: [ { names: [ "Paulo Lopes", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2023-0044", discovery_date: "2023-01-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158081", }, ], notes: [ { category: "description", text: "A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Quarkus 2.7.7", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { category: "external", summary: "RHBZ#2158081", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0044", url: "https://www.cve.org/CVERecord?id=CVE-2023-0044", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", }, { category: "external", summary: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", url: "https://github.com/advisories/GHSA-c57v-hc7m-8px2", }, ], release_date: "2023-01-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-03-08T14:54:57+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "workaround", details: "This attack can be prevented with the Quarkus CSRF Prevention feature.", product_ids: [ "Red Hat build of Quarkus 2.7.7", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Quarkus 2.7.7", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure", }, ], }
ghsa-c57v-hc7m-8px2
Vulnerability from github
Published
2023-02-23 21:30
Modified
2023-03-03 23:26
Severity ?
Summary
Cross-site Scripting in Quarkus
Details
If the Quarkus Form Authentication session cookie Path attribute is set to / then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.
{ affected: [ { package: { ecosystem: "Maven", name: "io.quarkus:quarkus-vertx-http", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "2.13.7.Final", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2023-0044", ], database_specific: { cwe_ids: [ "CWE-79", ], github_reviewed: true, github_reviewed_at: "2023-02-23T22:15:09Z", nvd_published_at: "2023-02-23T20:15:00Z", severity: "MODERATE", }, details: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", id: "GHSA-c57v-hc7m-8px2", modified: "2023-03-03T23:26:50Z", published: "2023-02-23T21:30:16Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0044", }, { type: "WEB", url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { type: "WEB", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { type: "PACKAGE", url: "https://github.com/quarkusio/quarkus", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", type: "CVSS_V3", }, ], summary: "Cross-site Scripting in Quarkus", }
wid-sec-w-2023-0370
Vulnerability from csaf_certbund
Published
2023-02-14 23:00
Modified
2023-06-29 22:00
Summary
Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um einen Denial of Service Angriff durchzuführen und um Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um einen Denial of Service Angriff durchzuführen und um Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-0370 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0370.json", }, { category: "self", summary: "WID-SEC-2023-0370 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0370", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3954 vom 2023-06-29", url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3374 vom 2023-06-03", url: "https://access.redhat.com/errata/RHSA-2023:3374", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1516 vom 2023-04-01", url: "https://access.redhat.com/errata/RHSA-2023:1516", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1006 vom 2023-03-09", url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "external", summary: "Red Hat Security Advisory vom 2023-02-14", url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:0888 vom 2023-02-21", url: "https://access.redhat.com/errata/RHSA-2023:0888", }, ], source_lang: "en-US", title: "Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen", tracking: { current_release_date: "2023-06-29T22:00:00.000+00:00", generator: { date: "2024-08-15T17:43:37.714+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-0370", initial_release_date: "2023-02-14T23:00:00.000+00:00", revision_history: [ { date: "2023-02-14T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-02-21T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-03-08T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-04-02T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-04T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-29T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, { category: "product_name", name: "Red Hat Integration Camel Extensions for Quarkus 1", product: { name: "Red Hat Integration Camel Extensions for Quarkus 1", product_id: "T026453", product_identification_helper: { cpe: "cpe:/a:redhat:integration:camel_extensions_for_quarkus_1", }, }, }, { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform < Build of Quarkus 2.13.7", product: { name: "Red Hat JBoss Enterprise Application Platform < Build of Quarkus 2.13.7", product_id: "130262", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0", }, }, }, { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.4", product: { name: "Red Hat JBoss Enterprise Application Platform 7.4", product_id: "978052", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", }, }, }, ], category: "product_name", name: "JBoss Enterprise Application Platform", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-41881", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Enterprise Application Platform. Der Fehler besteht in der Komponente \"netty\" und kann mithilfe einer speziellen Nachricht ausgelöst werden. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "67646", "978052", "T026453", ], }, release_date: "2023-02-14T23:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2023-0044", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Enterprise Application Platform. Aktuell wurden von Red Hat keine Details zur Schwachstelle veröffentlicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen.", }, ], product_status: { known_affected: [ "67646", "978052", "T026453", ], }, release_date: "2023-02-14T23:00:00.000+00:00", title: "CVE-2023-0044", }, ], }
WID-SEC-W-2023-0370
Vulnerability from csaf_certbund
Published
2023-02-14 23:00
Modified
2023-06-29 22:00
Summary
Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um einen Denial of Service Angriff durchzuführen und um Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "JBoss Enterprise Application Platform ist eine skalierbare Plattform für Java-Anwendungen, inklusive JBoss Application Server, JBoss Hibernate und Boss Seam.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Enterprise Application Platform ausnutzen, um einen Denial of Service Angriff durchzuführen und um Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-0370 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0370.json", }, { category: "self", summary: "WID-SEC-2023-0370 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0370", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3954 vom 2023-06-29", url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3374 vom 2023-06-03", url: "https://access.redhat.com/errata/RHSA-2023:3374", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1516 vom 2023-04-01", url: "https://access.redhat.com/errata/RHSA-2023:1516", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:1006 vom 2023-03-09", url: "https://access.redhat.com/errata/RHSA-2023:1006", }, { category: "external", summary: "Red Hat Security Advisory vom 2023-02-14", url: "https://access.redhat.com/errata/RHSA-2023:0758", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:0888 vom 2023-02-21", url: "https://access.redhat.com/errata/RHSA-2023:0888", }, ], source_lang: "en-US", title: "Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen", tracking: { current_release_date: "2023-06-29T22:00:00.000+00:00", generator: { date: "2024-08-15T17:43:37.714+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-0370", initial_release_date: "2023-02-14T23:00:00.000+00:00", revision_history: [ { date: "2023-02-14T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-02-21T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-03-08T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-04-02T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-04T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-29T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "6", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, { category: "product_name", name: "Red Hat Integration Camel Extensions for Quarkus 1", product: { name: "Red Hat Integration Camel Extensions for Quarkus 1", product_id: "T026453", product_identification_helper: { cpe: "cpe:/a:redhat:integration:camel_extensions_for_quarkus_1", }, }, }, { branches: [ { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform < Build of Quarkus 2.13.7", product: { name: "Red Hat JBoss Enterprise Application Platform < Build of Quarkus 2.13.7", product_id: "130262", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:4.2.0", }, }, }, { category: "product_name", name: "Red Hat JBoss Enterprise Application Platform 7.4", product: { name: "Red Hat JBoss Enterprise Application Platform 7.4", product_id: "978052", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", }, }, }, ], category: "product_name", name: "JBoss Enterprise Application Platform", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-41881", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Enterprise Application Platform. Der Fehler besteht in der Komponente \"netty\" und kann mithilfe einer speziellen Nachricht ausgelöst werden. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "67646", "978052", "T026453", ], }, release_date: "2023-02-14T23:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2023-0044", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Red Hat JBoss Enterprise Application Platform. Aktuell wurden von Red Hat keine Details zur Schwachstelle veröffentlicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Informationen offenzulegen.", }, ], product_status: { known_affected: [ "67646", "978052", "T026453", ], }, release_date: "2023-02-14T23:00:00.000+00:00", title: "CVE-2023-0044", }, ], }
fkie_cve-2023-0044
Vulnerability from fkie_nvd
Published
2023-02-23 20:15
Modified
2024-11-21 07:36
Severity ?
Summary
If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-0044 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2158081 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-0044 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2158081 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| quarkus | quarkus | * | |
| redhat | build_of_quarkus | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "9CDB1115-A9F5-46F0-AB03-BBEFD72FA293", versionEndExcluding: "2.13.7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", matchCriteriaId: "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature.", }, ], id: "CVE-2023-0044", lastModified: "2024-11-21T07:36:27.050", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-02-23T20:15:12.823", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0044", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158081", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.