Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2023-1370
Vulnerability from cvelistv5
Published
2023-03-13 09:04
Modified
2025-02-27 19:09
Severity ?
EPSS score ?
Summary
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| json-smart | json-smart |
Version: 0 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:49:10.250Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-1370", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-27T19:09:38.903630Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-27T19:09:50.662Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://mvnrepository.com", packageName: "net.minidev:json-smart", product: "json-smart", vendor: "json-smart", versions: [ { lessThan: "2.4.9", status: "affected", version: "0", versionType: "maven", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.</p><p>When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.</p><p>It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.</p>", }, ], value: "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\n\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.\n\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-674", description: "CWE-674 Uncontrolled Recursion", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-21T19:07:09.457Z", orgId: "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", shortName: "JFROG", }, references: [ { url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, { url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, ], source: { discovery: "EXTERNAL", }, title: "Stack exhaustion in json-smart leads to denial of service when parsing malformed JSON", }, }, cveMetadata: { assignerOrgId: "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", assignerShortName: "JFROG", cveId: "CVE-2023-1370", datePublished: "2023-03-13T09:04:36.365Z", dateReserved: "2023-03-13T08:35:00.695Z", dateUpdated: "2025-02-27T19:09:50.662Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:json-smart_project:json-smart:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.4.9\", \"matchCriteriaId\": \"DCB9A6B6-D76A-44FE-9326-07E17A486932\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\\n\\nWhen reaching a \\u2018[\\u2018 or \\u2018{\\u2018 character in the JSON input, the code parses an array or an object respectively.\\n\\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.\\n\\n\"}]", id: "CVE-2023-1370", lastModified: "2024-11-21T07:39:03.060", metrics: "{\"cvssMetricV31\": [{\"source\": \"reefs@jfrog.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}", published: "2023-03-22T06:15:09.493", references: "[{\"url\": \"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/\", \"source\": \"reefs@jfrog.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"source\": \"reefs@jfrog.com\"}, {\"url\": \"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]", sourceIdentifier: "reefs@jfrog.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"reefs@jfrog.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-674\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-674\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2023-1370\",\"sourceIdentifier\":\"reefs@jfrog.com\",\"published\":\"2023-03-22T06:15:09.493\",\"lastModified\":\"2025-02-13T17:15:58.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\\n\\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.\\n\\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"reefs@jfrog.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"reefs@jfrog.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-674\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:json-smart_project:json-smart:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.9\",\"matchCriteriaId\":\"DCB9A6B6-D76A-44FE-9326-07E17A486932\"}]}]}],\"references\":[{\"url\":\"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"reefs@jfrog.com\"},{\"url\":\"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}", vulnrichment: { containers: "{\"cna\": {\"affected\": [{\"collectionURL\": \"https://mvnrepository.com\", \"vendor\": \"json-smart\", \"product\": \"json-smart\", \"packageName\": \"net.minidev:json-smart\", \"versions\": [{\"lessThan\": \"2.4.9\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"maven\"}]}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"<p>[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.</p><p>When reaching a \\u2018[\\u2018 or \\u2018{\\u2018 character in the JSON input, the code parses an array or an object respectively.</p><p>It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.</p>\"}], \"value\": \"[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\\n\\nWhen reaching a \\u2018[\\u2018 or \\u2018{\\u2018 character in the JSON input, the code parses an array or an object respectively.\\n\\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-674\", \"description\": \"CWE-674 Uncontrolled Recursion\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"48a46f29-ae42-4e1d-90dd-c1676c1e5e6d\", \"shortName\": \"JFROG\", \"dateUpdated\": \"2024-06-21T19:07:09.457Z\"}, \"references\": [{\"url\": \"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"title\": \"Stack exhaustion in json-smart leads to denial of service when parsing malformed JSON\"}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T05:49:10.250Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-1370\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-27T19:09:38.903630Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-27T19:09:43.527Z\"}}]}", cveMetadata: "{\"cveId\": \"CVE-2023-1370\", \"assignerOrgId\": \"48a46f29-ae42-4e1d-90dd-c1676c1e5e6d\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"JFROG\", \"dateReserved\": \"2023-03-13T08:35:00.695Z\", \"datePublished\": \"2023-03-13T09:04:36.365Z\", \"dateUpdated\": \"2025-02-27T19:09:50.662Z\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
RHSA-2023:3193
Vulnerability from csaf_redhat
Published
2023-05-17 15:49
Modified
2025-03-03 16:24
Summary
Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 security update
Notes
Topic
Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for Camel Extensions for Quarkus 2.7.1 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Security Fix(es):
* CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n Red Hat Product Security has rated this update as having an impact of Important.\n A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for Camel Extensions for Quarkus 2.7.1 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n Red Hat Product Security has rated this update as having an impact of Important.\n\n A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n Security Fix(es):\n\n * CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3193", url: "https://access.redhat.com/errata/RHSA-2023:3193", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/security/cve/cve-2023-1370", url: "https://access.redhat.com/security/cve/cve-2023-1370", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3193.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 security update", tracking: { current_release_date: "2025-03-03T16:24:42+00:00", generator: { date: "2025-03-03T16:24:42+00:00", engine: { name: "Red Hat SDEngine", version: "4.3.1", }, }, id: "RHSA-2023:3193", initial_release_date: "2023-05-17T15:49:21+00:00", revision_history: [ { date: "2023-05-17T15:49:21+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-17T15:49:21+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-03T16:24:42+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "CEQ 2.7.1-1", product: { name: "CEQ 2.7.1-1", product_id: "CEQ 2.7.1-1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:2.7", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "CEQ 2.7.1-1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-17T15:49:21+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "CEQ 2.7.1-1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3193", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CEQ 2.7.1-1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
rhsa-2023:2100
Vulnerability from csaf_redhat
Published
2023-05-03 14:05
Modified
2025-03-16 06:49
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.1 security update
Notes
Topic
Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)
* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)
* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)
* apache-ivy: Directory Traversal (CVE-2022-37865)
* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)\n\n* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)\n\n* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)\n\n* apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)\n\n* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)\n\n* apache-ivy: Directory Traversal (CVE-2022-37865)\n\n* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)\n\n* batik: Server-Side Request Forgery (CVE-2022-38398)\n\n* batik: Server-Side Request Forgery (CVE-2022-38648)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)\n\n* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)\n\n* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:2100", url: "https://access.redhat.com/errata/RHSA-2023:2100", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "2134292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134292", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2136128", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136128", }, { category: "external", summary: "2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "2136207", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136207", }, { category: "external", summary: "2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "2145264", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145264", }, { category: "external", summary: "2150011", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150011", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "2169924", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169924", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2172298", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2172298", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "2182188", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182188", }, { category: "external", summary: "2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2100.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.1 security update", tracking: { current_release_date: "2025-03-16T06:49:26+00:00", generator: { date: "2025-03-16T06:49:26+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:2100", initial_release_date: "2023-05-03T14:05:29+00:00", revision_history: [ { date: "2023-05-03T14:05:29+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-03T14:05:29+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T06:49:26+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.20.1", product: { name: "RHINT Camel-Springboot 3.20.1", product_id: "RHINT Camel-Springboot 3.20.1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.20.1", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-37533", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2023-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2169924", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about services running on the private network of the client.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-net: FTP client trusts the host from PASV response by default", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37533", }, { category: "external", summary: "RHBZ#2169924", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169924", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37533", url: "https://www.cve.org/CVERecord?id=CVE-2021-37533", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37533", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37533", }, ], release_date: "2023-02-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-net: FTP client trusts the host from PASV response by default", }, { cve: "CVE-2022-4492", cwe: { id: "CWE-550", name: "Server-generated Error Message Containing Sensitive Information", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153260", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Server identity in https connection is not checked by the undertow client", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4492", }, { category: "external", summary: "RHBZ#2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4492", url: "https://www.cve.org/CVERecord?id=CVE-2022-4492", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", }, ], release_date: "2022-12-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: Server identity in https connection is not checked by the undertow client", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-31777", cwe: { id: "CWE-74", name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145264", }, ], notes: [ { category: "description", text: "A stored cross-site scripting (XSS) flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI.", title: "Vulnerability description", }, { category: "summary", text: "apache-spark: XSS vulnerability in log viewer UI Javascript", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31777", }, { category: "external", summary: "RHBZ#2145264", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145264", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31777", url: "https://www.cve.org/CVERecord?id=CVE-2022-31777", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31777", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31777", }, ], release_date: "2022-11-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-spark: XSS vulnerability in log viewer UI Javascript", }, { cve: "CVE-2022-33681", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136207", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Pulsar Java Client. This flaw allows an attacker to use a Man-in-the-Middle (MITM) attack, manipulating network traffic and gaining the client's authentication data.", title: "Vulnerability description", }, { category: "summary", text: "Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-33681", }, { category: "external", summary: "RHBZ#2136207", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136207", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-33681", url: "https://www.cve.org/CVERecord?id=CVE-2022-33681", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-33681", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-33681", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM", }, { cve: "CVE-2022-37865", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182188", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access.", title: "Vulnerability description", }, { category: "summary", text: "apache-ivy: Directory Traversal", title: "Vulnerability summary", }, { category: "other", text: "Although the CVSS states High according to NIST, due to the nature of this flaw, considering it's an optional attribute and there must be restrictions in other layers to prevent attacks, this flaw is taken as a Moderate following the Medium impact from Apache.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-37865", }, { category: "external", summary: "RHBZ#2182188", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182188", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-37865", url: "https://www.cve.org/CVERecord?id=CVE-2022-37865", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-37865", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-37865", }, { category: "external", summary: "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy", url: "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy", }, ], release_date: "2022-11-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-ivy: Directory Traversal", }, { cve: "CVE-2022-37866", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150011", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Ivy. This may allow an attacker to place artifacts inside and outside of Ivy's repository and overwrite artifacts that the user will use later.", title: "Vulnerability description", }, { category: "summary", text: "Ivy: Ivy Path traversal", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-37866", }, { category: "external", summary: "RHBZ#2150011", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150011", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-37866", url: "https://www.cve.org/CVERecord?id=CVE-2022-37866", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-37866", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-37866", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Ivy: Ivy Path traversal", }, { cve: "CVE-2022-38398", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155292", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38398", }, { category: "external", summary: "RHBZ#2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38398", url: "https://www.cve.org/CVERecord?id=CVE-2022-38398", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903462", url: "http://svn.apache.org/viewvc?view=revision&revision=1903462", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1331", url: "https://issues.apache.org/jira/browse/BATIK-1331", }, { category: "external", summary: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", url: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38648", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155295", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38648", }, { category: "external", summary: "RHBZ#2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38648", url: "https://www.cve.org/CVERecord?id=CVE-2022-38648", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903625", url: "http://svn.apache.org/viewvc?view=revision&revision=1903625", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1333", url: "https://issues.apache.org/jira/browse/BATIK-1333", }, { category: "external", summary: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", url: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-38750", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129707", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38750", }, { category: "external", summary: "RHBZ#2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38750", url: "https://www.cve.org/CVERecord?id=CVE-2022-38750", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", }, { cve: "CVE-2022-38751", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129709", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38751", }, { category: "external", summary: "RHBZ#2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38751", url: "https://www.cve.org/CVERecord?id=CVE-2022-38751", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", }, { cve: "CVE-2022-38752", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129710", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38752", }, { category: "external", summary: "RHBZ#2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38752", url: "https://www.cve.org/CVERecord?id=CVE-2022-38752", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", }, { cve: "CVE-2022-39368", cwe: { id: "CWE-459", name: "Incomplete Cleanup", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145205", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.", title: "Vulnerability description", }, { category: "summary", text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-39368", }, { category: "external", summary: "RHBZ#2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368", url: "https://www.cve.org/CVERecord?id=CVE-2022-39368", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", }, { category: "external", summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", }, ], release_date: "2022-11-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", }, { cve: "CVE-2022-40146", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155291", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery (SSRF) vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40146", }, { category: "external", summary: "RHBZ#2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40146", url: "https://www.cve.org/CVERecord?id=CVE-2022-40146", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903910", url: "http://svn.apache.org/viewvc?view=revision&revision=1903910", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1335", url: "https://issues.apache.org/jira/browse/BATIK-1335", }, { category: "external", summary: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", url: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery (SSRF) vulnerability", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-40151", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134292", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40151", }, { category: "external", summary: "RHBZ#2134292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40151", url: "https://www.cve.org/CVERecord?id=CVE-2022-40151", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40152", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134291", }, ], notes: [ { category: "description", text: "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", title: "Vulnerability description", }, { category: "summary", text: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40152", }, { category: "external", summary: "RHBZ#2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40152", url: "https://www.cve.org/CVERecord?id=CVE-2022-40152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", }, { category: "external", summary: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", url: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40156", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134288", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40156", }, { category: "external", summary: "RHBZ#2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40156", url: "https://www.cve.org/CVERecord?id=CVE-2022-40156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-41704", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182182", }, ], notes: [ { category: "description", text: "A flaw was found in Batik. This issue may allow a malicious user to run untrusted Java code from an SVG.", title: "Vulnerability description", }, { category: "summary", text: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41704", }, { category: "external", summary: "RHBZ#2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41704", url: "https://www.cve.org/CVERecord?id=CVE-2022-41704", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", }, { cve: "CVE-2022-41852", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136128", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Commons JXPath package. This flaw allows an attacker to use the interpreter to execute untrusted expressions and a remote code attack.", title: "Vulnerability description", }, { category: "summary", text: "JXPath: untrusted XPath expressions may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41852", }, { category: "external", summary: "RHBZ#2136128", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136128", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41852", url: "https://www.cve.org/CVERecord?id=CVE-2022-41852", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41852", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41852", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "JXPath: untrusted XPath expressions may lead to RCE attack", }, { cve: "CVE-2022-41853", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136141", }, ], notes: [ { category: "description", text: "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", title: "Vulnerability description", }, { category: "summary", text: "hsqldb: Untrusted input may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41853", }, { category: "external", summary: "RHBZ#2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41853", url: "https://www.cve.org/CVERecord?id=CVE-2022-41853", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", }, { category: "external", summary: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", url: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", }, { category: "external", summary: "https://github.com/advisories/GHSA-77xx-rxvh-q682", url: "https://github.com/advisories/GHSA-77xx-rxvh-q682", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, { category: "workaround", details: "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "hsqldb: Untrusted input may lead to RCE attack", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-42890", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182183", }, ], notes: [ { category: "description", text: "A flaw was found in Batik of Apache XML Graphics. This issue may allow a malicious user to run Java code from untrusted SVG via JavaScript.", title: "Vulnerability description", }, { category: "summary", text: "batik: Untrusted code execution in Apache XML Graphics Batik", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42890", }, { category: "external", summary: "RHBZ#2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42890", url: "https://www.cve.org/CVERecord?id=CVE-2022-42890", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Untrusted code execution in Apache XML Graphics Batik", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-20863", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2187742", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20863", }, { category: "external", summary: "RHBZ#2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20863", url: "https://www.cve.org/CVERecord?id=CVE-2023-20863", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", }, { category: "external", summary: "https://spring.io/security/cve-2023-20863", url: "https://spring.io/security/cve-2023-20863", }, ], release_date: "2023-04-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-22602", cwe: { id: "CWE-436", name: "Interpretation Conflict", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182198", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Authentication bypass through a specially crafted HTTP request", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-22602", }, { category: "external", summary: "RHBZ#2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-22602", url: "https://www.cve.org/CVERecord?id=CVE-2023-22602", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", }, ], release_date: "2023-01-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "shiro: Authentication bypass through a specially crafted HTTP request", }, { cve: "CVE-2023-24998", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2172298", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.\r\n\r\nWhile Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.", title: "Vulnerability description", }, { category: "summary", text: "FileUpload: FileUpload DoS with excessive parts", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-24998", }, { category: "external", summary: "RHBZ#2172298", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2172298", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-24998", url: "https://www.cve.org/CVERecord?id=CVE-2023-24998", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-24998", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-24998", }, { category: "external", summary: "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5", url: "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5", }, ], release_date: "2023-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "FileUpload: FileUpload DoS with excessive parts", }, ], }
RHSA-2023:3954
Vulnerability from csaf_redhat
Published
2023-06-29 20:07
Modified
2025-03-16 06:49
Summary
Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update
Notes
Topic
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hazelcast: Hazelcast connection caching (CVE-2022-36437)
* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)
* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)
* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* hazelcast: Hazelcast connection caching (CVE-2022-36437)\n\n* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)\n\n* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)\n\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n\n* batik: Server-Side Request Forgery (CVE-2022-38398)\n\n* batik: Server-Side Request Forgery (CVE-2022-38648)\n\n* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)\n\n* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\n* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)\n\n* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)\n\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n\n* tomcat: JsonErrorReportValve injection (CVE-2022-45143)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3954", url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#critical", url: "https://access.redhat.com/security/updates/classification/#critical", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/", url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/", }, { category: "external", summary: "873317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=873317", }, { category: "external", summary: "1886587", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1886587", }, { category: "external", summary: "2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2144970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2144970", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "2158695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158695", }, { category: "external", summary: "2162053", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162053", }, { category: "external", summary: "2162206", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162206", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2174246", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "ENTESB-20598", url: "https://issues.redhat.com/browse/ENTESB-20598", }, { category: "external", summary: "ENTESB-21418", url: "https://issues.redhat.com/browse/ENTESB-21418", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3954.json", }, ], title: "Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update", tracking: { current_release_date: "2025-03-16T06:49:05+00:00", generator: { date: "2025-03-16T06:49:05+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3954", initial_release_date: "2023-06-29T20:07:23+00:00", revision_history: [ { date: "2023-06-29T20:07:23+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-29T20:07:23+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T06:49:05+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Fuse 7.12", product: { name: "Red Hat Fuse 7.12", product_id: "Red Hat Fuse 7.12", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2012-5783", discovery_date: "2012-11-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "873317", }, ], notes: [ { category: "description", text: "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", title: "Vulnerability description", }, { category: "summary", text: "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2012-5783", }, { category: "external", summary: "RHBZ#873317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=873317", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2012-5783", url: "https://www.cve.org/CVERecord?id=CVE-2012-5783", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2012-5783", url: "https://nvd.nist.gov/vuln/detail/CVE-2012-5783", }, ], release_date: "2012-10-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name", }, { cve: "CVE-2020-13956", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-10-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1886587", }, ], notes: [ { category: "description", text: "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", title: "Vulnerability description", }, { category: "summary", text: "apache-httpclient: incorrect handling of malformed authority component in request URIs", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low.\nIn OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.\n\nIn the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-13956", }, { category: "external", summary: "RHBZ#1886587", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1886587", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-13956", url: "https://www.cve.org/CVERecord?id=CVE-2020-13956", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-13956", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-13956", }, { category: "external", summary: "https://www.openwall.com/lists/oss-security/2020/10/08/4", url: "https://www.openwall.com/lists/oss-security/2020/10/08/4", }, ], release_date: "2020-10-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-httpclient: incorrect handling of malformed authority component in request URIs", }, { cve: "CVE-2022-4492", cwe: { id: "CWE-550", name: "Server-generated Error Message Containing Sensitive Information", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153260", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Server identity in https connection is not checked by the undertow client", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4492", }, { category: "external", summary: "RHBZ#2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4492", url: "https://www.cve.org/CVERecord?id=CVE-2022-4492", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", }, ], release_date: "2022-12-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: Server identity in https connection is not checked by the undertow client", }, { cve: "CVE-2022-24785", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2072009", }, ], notes: [ { category: "description", text: "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", title: "Vulnerability description", }, { category: "summary", text: "Moment.js: Path traversal in moment.locale", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24785", }, { category: "external", summary: "RHBZ#2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24785", url: "https://www.cve.org/CVERecord?id=CVE-2022-24785", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", url: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", }, ], release_date: "2022-04-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "workaround", details: "Sanitize the user-provided locale name before passing it to Moment.js.", product_ids: [ "Red Hat Fuse 7.12", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Moment.js: Path traversal in moment.locale", }, { cve: "CVE-2022-31692", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2023-01-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2162206", }, ], notes: [ { category: "description", text: "A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules.", title: "Vulnerability description", }, { category: "summary", text: "spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31692", }, { category: "external", summary: "RHBZ#2162206", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162206", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31692", url: "https://www.cve.org/CVERecord?id=CVE-2022-31692", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31692", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31692", }, { category: "external", summary: "https://spring.io/security/cve-2022-31692", url: "https://spring.io/security/cve-2022-31692", }, ], release_date: "2022-10-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security", }, { cve: "CVE-2022-36437", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2023-01-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2162053", }, ], notes: [ { category: "description", text: "A flaw was found in Hazelcast and Hazelcast Jet. This flaw may allow an attacker unauthenticated access to manipulate data in the cluster.", title: "Vulnerability description", }, { category: "summary", text: "hazelcast: Hazelcast connection caching", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration - Camel Quarkus Extensions: Hazelcast is contained in camel-quarkus-hazelcast but it does not affect any supported component. This package is community support only. Hence the low impact for Camel Quarkus Extension.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-36437", }, { category: "external", summary: "RHBZ#2162053", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162053", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-36437", url: "https://www.cve.org/CVERecord?id=CVE-2022-36437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-36437", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-36437", }, { category: "external", summary: "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp", url: "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp", }, ], release_date: "2022-12-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "hazelcast: Hazelcast connection caching", }, { cve: "CVE-2022-38398", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155292", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38398", }, { category: "external", summary: "RHBZ#2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38398", url: "https://www.cve.org/CVERecord?id=CVE-2022-38398", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903462", url: "http://svn.apache.org/viewvc?view=revision&revision=1903462", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1331", url: "https://issues.apache.org/jira/browse/BATIK-1331", }, { category: "external", summary: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", url: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38648", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155295", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38648", }, { category: "external", summary: "RHBZ#2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38648", url: "https://www.cve.org/CVERecord?id=CVE-2022-38648", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903625", url: "http://svn.apache.org/viewvc?view=revision&revision=1903625", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1333", url: "https://issues.apache.org/jira/browse/BATIK-1333", }, { category: "external", summary: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", url: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-40146", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155291", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery (SSRF) vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40146", }, { category: "external", summary: "RHBZ#2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40146", url: "https://www.cve.org/CVERecord?id=CVE-2022-40146", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903910", url: "http://svn.apache.org/viewvc?view=revision&revision=1903910", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1335", url: "https://issues.apache.org/jira/browse/BATIK-1335", }, { category: "external", summary: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", url: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery (SSRF) vulnerability", }, { cve: "CVE-2022-41704", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182182", }, ], notes: [ { category: "description", text: "A flaw was found in Batik. This issue may allow a malicious user to run untrusted Java code from an SVG.", title: "Vulnerability description", }, { category: "summary", text: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41704", }, { category: "external", summary: "RHBZ#2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41704", url: "https://www.cve.org/CVERecord?id=CVE-2022-41704", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41940", cwe: { id: "CWE-248", name: "Uncaught Exception", }, discovery_date: "2022-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2144970", }, ], notes: [ { category: "description", text: "A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "engine.io: Specially crafted HTTP request can trigger an uncaught exception", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41940", }, { category: "external", summary: "RHBZ#2144970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2144970", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41940", url: "https://www.cve.org/CVERecord?id=CVE-2022-41940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", }, ], release_date: "2022-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "engine.io: Specially crafted HTTP request can trigger an uncaught exception", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42890", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182183", }, ], notes: [ { category: "description", text: "A flaw was found in Batik of Apache XML Graphics. This issue may allow a malicious user to run Java code from untrusted SVG via JavaScript.", title: "Vulnerability description", }, { category: "summary", text: "batik: Untrusted code execution in Apache XML Graphics Batik", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42890", }, { category: "external", summary: "RHBZ#2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42890", url: "https://www.cve.org/CVERecord?id=CVE-2022-42890", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Untrusted code execution in Apache XML Graphics Batik", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2022-45143", cwe: { id: "CWE-74", name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", }, discovery_date: "2023-01-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158695", }, ], notes: [ { category: "description", text: "A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: JsonErrorReportValve injection", title: "Vulnerability summary", }, { category: "other", text: "Although it may be rated as CVSS 7.5, it's still considered a low impact flaw as according to the advisory report from Apache, user controlled data may occur in specific cases only and may alter some specific fields only.\n\nRed Hat Satellite does not include the affected Apache Tomcat, however, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45143", }, { category: "external", summary: "RHBZ#2158695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45143", url: "https://www.cve.org/CVERecord?id=CVE-2022-45143", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45143", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45143", }, { category: "external", summary: "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj", url: "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj", }, ], release_date: "2023-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: JsonErrorReportValve injection", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2022-46364", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155682", }, ], notes: [ { category: "description", text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", title: "Vulnerability description", }, { category: "summary", text: "CXF: SSRF Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46364", }, { category: "external", summary: "RHBZ#2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364", url: "https://www.cve.org/CVERecord?id=CVE-2022-46364", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "CXF: SSRF Vulnerability", }, { cve: "CVE-2023-1108", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2023-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2174246", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.", title: "Vulnerability description", }, { category: "summary", text: "Undertow: Infinite loop in SslConduit during close", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1108", }, { category: "external", summary: "RHBZ#2174246", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1108", url: "https://www.cve.org/CVERecord?id=CVE-2023-1108", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108", }, { category: "external", summary: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", }, ], release_date: "2023-03-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Undertow: Infinite loop in SslConduit during close", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-20883", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-05-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2209342", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20883", }, { category: "external", summary: "RHBZ#2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20883", url: "https://www.cve.org/CVERecord?id=CVE-2023-20883", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", }, ], release_date: "2023-05-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", }, { cve: "CVE-2023-22602", cwe: { id: "CWE-436", name: "Interpretation Conflict", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182198", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Authentication bypass through a specially crafted HTTP request", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-22602", }, { category: "external", summary: "RHBZ#2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-22602", url: "https://www.cve.org/CVERecord?id=CVE-2023-22602", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", }, ], release_date: "2023-01-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "shiro: Authentication bypass through a specially crafted HTTP request", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, ], }
rhsa-2023:3610
Vulnerability from csaf_redhat
Published
2023-06-15 00:17
Modified
2025-03-15 00:10
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)\n\n* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)\n\n* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3610", url: "https://access.redhat.com/errata/RHSA-2023:3610", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2155970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970", }, { category: "external", summary: "2164278", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2164278", }, { category: "external", summary: "2178358", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2178358", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3610.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2025-03-15T00:10:48+00:00", generator: { date: "2025-03-15T00:10:48+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3610", initial_release_date: "2023-06-15T00:17:42+00:00", revision_history: [ { date: "2023-06-15T00:17:42+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T00:17:42+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T00:10:48+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.12", product: { name: "OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.12::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686649641-3.el8.src", product: { name: "jenkins-0:2.401.1.1686649641-3.el8.src", product_id: "jenkins-0:2.401.1.1686649641-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686649641-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product_id: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686649641-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686649641-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686649641-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686649641-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686649641-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, ], }, vulnerabilities: [ { cve: "CVE-2021-46877", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-11T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2185707", }, ], notes: [ { category: "description", text: "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-46877", }, { category: "external", summary: "RHBZ#2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-46877", url: "https://www.cve.org/CVERecord?id=CVE-2021-46877", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", }, ], release_date: "2023-03-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", }, { cve: "CVE-2022-29599", cwe: { id: "CWE-77", name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", }, discovery_date: "2022-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066479", }, ], notes: [ { category: "description", text: "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.", title: "Vulnerability description", }, { category: "summary", text: "maven-shared-utils: Command injection via Commandline class", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It's worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-29599", }, { category: "external", summary: "RHBZ#2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-29599", url: "https://www.cve.org/CVERecord?id=CVE-2022-29599", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", }, ], release_date: "2020-05-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "maven-shared-utils: Command injection via Commandline class", }, { cve: "CVE-2022-30953", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119646", }, ], notes: [ { category: "description", text: "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: CSRF vulnerability in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30953", }, { category: "external", summary: "RHBZ#2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30953", url: "https://www.cve.org/CVERecord?id=CVE-2022-30953", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: CSRF vulnerability in Blue Ocean Plugin", }, { cve: "CVE-2022-30954", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119647", }, ], notes: [ { category: "description", text: "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: missing permission checks in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30954", }, { category: "external", summary: "RHBZ#2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30954", url: "https://www.cve.org/CVERecord?id=CVE-2022-30954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: missing permission checks in Blue Ocean Plugin", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-45693", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-23T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155970", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", title: "Vulnerability summary", }, { category: "other", text: "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45693", }, { category: "external", summary: "RHBZ#2155970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45693", url: "https://www.cve.org/CVERecord?id=CVE-2022-45693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-24422", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2023-01-25T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2164278", }, ], notes: [ { category: "description", text: "A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-24422", }, { category: "external", summary: "RHBZ#2164278", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2164278", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-24422", url: "https://www.cve.org/CVERecord?id=CVE-2023-24422", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-24422", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-24422", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016", url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016", }, ], release_date: "2023-01-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin", }, { cve: "CVE-2023-32977", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207830", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Job Plugin. Affected versions of Jenkins Pipeline: Job Plugin are vulnerable to Cross-site scripting caused by improper validation of user-supplied input. This flaw allows a remote authenticated attacker to inject malicious script into a Web page, which would then be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. The attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32977", }, { category: "external", summary: "RHBZ#2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32977", url: "https://www.cve.org/CVERecord?id=CVE-2023-32977", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", }, { cve: "CVE-2023-32981", discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207835", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing \"dot dot\" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32981", }, { category: "external", summary: "RHBZ#2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32981", url: "https://www.cve.org/CVERecord?id=CVE-2023-32981", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", }, ], }
rhsa-2023_2100
Vulnerability from csaf_redhat
Published
2023-05-03 14:05
Modified
2024-12-17 22:55
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.1 security update
Notes
Topic
Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)
* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)
* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)
* apache-ivy: Directory Traversal (CVE-2022-37865)
* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)\n\n* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)\n\n* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)\n\n* apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)\n\n* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)\n\n* apache-ivy: Directory Traversal (CVE-2022-37865)\n\n* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)\n\n* batik: Server-Side Request Forgery (CVE-2022-38398)\n\n* batik: Server-Side Request Forgery (CVE-2022-38648)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)\n\n* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)\n\n* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:2100", url: "https://access.redhat.com/errata/RHSA-2023:2100", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "2134292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134292", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2136128", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136128", }, { category: "external", summary: "2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "2136207", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136207", }, { category: "external", summary: "2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "2145264", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145264", }, { category: "external", summary: "2150011", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150011", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "2169924", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169924", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2172298", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2172298", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "2182188", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182188", }, { category: "external", summary: "2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2100.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.1 security update", tracking: { current_release_date: "2024-12-17T22:55:43+00:00", generator: { date: "2024-12-17T22:55:43+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:2100", initial_release_date: "2023-05-03T14:05:29+00:00", revision_history: [ { date: "2023-05-03T14:05:29+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-03T14:05:29+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T22:55:43+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.20.1", product: { name: "RHINT Camel-Springboot 3.20.1", product_id: "RHINT Camel-Springboot 3.20.1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.20.1", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-37533", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2023-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2169924", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about services running on the private network of the client.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-net: FTP client trusts the host from PASV response by default", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37533", }, { category: "external", summary: "RHBZ#2169924", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169924", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37533", url: "https://www.cve.org/CVERecord?id=CVE-2021-37533", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37533", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37533", }, ], release_date: "2023-02-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-net: FTP client trusts the host from PASV response by default", }, { cve: "CVE-2022-4492", cwe: { id: "CWE-550", name: "Server-generated Error Message Containing Sensitive Information", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153260", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Server identity in https connection is not checked by the undertow client", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4492", }, { category: "external", summary: "RHBZ#2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4492", url: "https://www.cve.org/CVERecord?id=CVE-2022-4492", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", }, ], release_date: "2022-12-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: Server identity in https connection is not checked by the undertow client", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-31777", cwe: { id: "CWE-74", name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145264", }, ], notes: [ { category: "description", text: "A stored cross-site scripting (XSS) flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI.", title: "Vulnerability description", }, { category: "summary", text: "apache-spark: XSS vulnerability in log viewer UI Javascript", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31777", }, { category: "external", summary: "RHBZ#2145264", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145264", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31777", url: "https://www.cve.org/CVERecord?id=CVE-2022-31777", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31777", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31777", }, ], release_date: "2022-11-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-spark: XSS vulnerability in log viewer UI Javascript", }, { cve: "CVE-2022-33681", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136207", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Pulsar Java Client. This flaw allows an attacker to use a Man-in-the-Middle (MITM) attack, manipulating network traffic and gaining the client's authentication data.", title: "Vulnerability description", }, { category: "summary", text: "Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-33681", }, { category: "external", summary: "RHBZ#2136207", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136207", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-33681", url: "https://www.cve.org/CVERecord?id=CVE-2022-33681", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-33681", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-33681", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM", }, { cve: "CVE-2022-37865", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182188", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access.", title: "Vulnerability description", }, { category: "summary", text: "apache-ivy: Directory Traversal", title: "Vulnerability summary", }, { category: "other", text: "Although the CVSS states High according to NIST, due to the nature of this flaw, considering it's an optional attribute and there must be restrictions in other layers to prevent attacks, this flaw is taken as a Moderate following the Medium impact from Apache.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-37865", }, { category: "external", summary: "RHBZ#2182188", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182188", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-37865", url: "https://www.cve.org/CVERecord?id=CVE-2022-37865", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-37865", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-37865", }, { category: "external", summary: "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy", url: "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy", }, ], release_date: "2022-11-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-ivy: Directory Traversal", }, { cve: "CVE-2022-37866", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150011", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Ivy. This may allow an attacker to place artifacts inside and outside of Ivy's repository and overwrite artifacts that the user will use later.", title: "Vulnerability description", }, { category: "summary", text: "Ivy: Ivy Path traversal", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-37866", }, { category: "external", summary: "RHBZ#2150011", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150011", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-37866", url: "https://www.cve.org/CVERecord?id=CVE-2022-37866", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-37866", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-37866", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Ivy: Ivy Path traversal", }, { cve: "CVE-2022-38398", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155292", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38398", }, { category: "external", summary: "RHBZ#2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38398", url: "https://www.cve.org/CVERecord?id=CVE-2022-38398", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903462", url: "http://svn.apache.org/viewvc?view=revision&revision=1903462", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1331", url: "https://issues.apache.org/jira/browse/BATIK-1331", }, { category: "external", summary: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", url: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38648", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155295", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38648", }, { category: "external", summary: "RHBZ#2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38648", url: "https://www.cve.org/CVERecord?id=CVE-2022-38648", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903625", url: "http://svn.apache.org/viewvc?view=revision&revision=1903625", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1333", url: "https://issues.apache.org/jira/browse/BATIK-1333", }, { category: "external", summary: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", url: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-38750", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129707", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38750", }, { category: "external", summary: "RHBZ#2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38750", url: "https://www.cve.org/CVERecord?id=CVE-2022-38750", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", }, { cve: "CVE-2022-38751", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129709", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38751", }, { category: "external", summary: "RHBZ#2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38751", url: "https://www.cve.org/CVERecord?id=CVE-2022-38751", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", }, { cve: "CVE-2022-38752", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129710", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38752", }, { category: "external", summary: "RHBZ#2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38752", url: "https://www.cve.org/CVERecord?id=CVE-2022-38752", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", }, { cve: "CVE-2022-39368", cwe: { id: "CWE-459", name: "Incomplete Cleanup", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145205", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.", title: "Vulnerability description", }, { category: "summary", text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-39368", }, { category: "external", summary: "RHBZ#2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368", url: "https://www.cve.org/CVERecord?id=CVE-2022-39368", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", }, { category: "external", summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", }, ], release_date: "2022-11-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", }, { cve: "CVE-2022-40146", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155291", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery (SSRF) vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40146", }, { category: "external", summary: "RHBZ#2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40146", url: "https://www.cve.org/CVERecord?id=CVE-2022-40146", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903910", url: "http://svn.apache.org/viewvc?view=revision&revision=1903910", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1335", url: "https://issues.apache.org/jira/browse/BATIK-1335", }, { category: "external", summary: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", url: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery (SSRF) vulnerability", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-40151", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134292", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40151", }, { category: "external", summary: "RHBZ#2134292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40151", url: "https://www.cve.org/CVERecord?id=CVE-2022-40151", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40152", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134291", }, ], notes: [ { category: "description", text: "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", title: "Vulnerability description", }, { category: "summary", text: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40152", }, { category: "external", summary: "RHBZ#2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40152", url: "https://www.cve.org/CVERecord?id=CVE-2022-40152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", }, { category: "external", summary: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", url: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40156", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134288", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40156", }, { category: "external", summary: "RHBZ#2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40156", url: "https://www.cve.org/CVERecord?id=CVE-2022-40156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-41704", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182182", }, ], notes: [ { category: "description", text: "A flaw was found in Batik. This issue may allow a malicious user to run untrusted Java code from an SVG.", title: "Vulnerability description", }, { category: "summary", text: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41704", }, { category: "external", summary: "RHBZ#2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41704", url: "https://www.cve.org/CVERecord?id=CVE-2022-41704", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", }, { cve: "CVE-2022-41852", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136128", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Commons JXPath package. This flaw allows an attacker to use the interpreter to execute untrusted expressions and a remote code attack.", title: "Vulnerability description", }, { category: "summary", text: "JXPath: untrusted XPath expressions may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41852", }, { category: "external", summary: "RHBZ#2136128", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136128", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41852", url: "https://www.cve.org/CVERecord?id=CVE-2022-41852", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41852", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41852", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "JXPath: untrusted XPath expressions may lead to RCE attack", }, { cve: "CVE-2022-41853", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136141", }, ], notes: [ { category: "description", text: "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", title: "Vulnerability description", }, { category: "summary", text: "hsqldb: Untrusted input may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41853", }, { category: "external", summary: "RHBZ#2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41853", url: "https://www.cve.org/CVERecord?id=CVE-2022-41853", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", }, { category: "external", summary: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", url: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", }, { category: "external", summary: "https://github.com/advisories/GHSA-77xx-rxvh-q682", url: "https://github.com/advisories/GHSA-77xx-rxvh-q682", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, { category: "workaround", details: "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "hsqldb: Untrusted input may lead to RCE attack", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-42890", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182183", }, ], notes: [ { category: "description", text: "A flaw was found in Batik of Apache XML Graphics. This issue may allow a malicious user to run Java code from untrusted SVG via JavaScript.", title: "Vulnerability description", }, { category: "summary", text: "batik: Untrusted code execution in Apache XML Graphics Batik", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42890", }, { category: "external", summary: "RHBZ#2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42890", url: "https://www.cve.org/CVERecord?id=CVE-2022-42890", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Untrusted code execution in Apache XML Graphics Batik", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-20863", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2187742", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20863", }, { category: "external", summary: "RHBZ#2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20863", url: "https://www.cve.org/CVERecord?id=CVE-2023-20863", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", }, { category: "external", summary: "https://spring.io/security/cve-2023-20863", url: "https://spring.io/security/cve-2023-20863", }, ], release_date: "2023-04-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-22602", cwe: { id: "CWE-436", name: "Interpretation Conflict", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182198", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Authentication bypass through a specially crafted HTTP request", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-22602", }, { category: "external", summary: "RHBZ#2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-22602", url: "https://www.cve.org/CVERecord?id=CVE-2023-22602", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", }, ], release_date: "2023-01-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "shiro: Authentication bypass through a specially crafted HTTP request", }, { cve: "CVE-2023-24998", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2172298", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.\r\n\r\nWhile Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.", title: "Vulnerability description", }, { category: "summary", text: "FileUpload: FileUpload DoS with excessive parts", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-24998", }, { category: "external", summary: "RHBZ#2172298", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2172298", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-24998", url: "https://www.cve.org/CVERecord?id=CVE-2023-24998", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-24998", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-24998", }, { category: "external", summary: "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5", url: "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5", }, ], release_date: "2023-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "FileUpload: FileUpload DoS with excessive parts", }, ], }
rhsa-2023_3362
Vulnerability from csaf_redhat
Published
2023-06-07 09:23
Modified
2024-12-10 17:52
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.10.61 packages and security update
Notes
Topic
Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.10.
Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.61. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:3363
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.10.\n\nRed Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.61. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2023:3363\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3362", url: "https://access.redhat.com/errata/RHSA-2023:3362", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/articles/11258", url: "https://access.redhat.com/articles/11258", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3362.json", }, ], title: "Red Hat Security Advisory: OpenShift Container Platform 4.10.61 packages and security update", tracking: { current_release_date: "2024-12-10T17:52:05+00:00", generator: { date: "2024-12-10T17:52:05+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3362", initial_release_date: "2023-06-07T09:23:42+00:00", revision_history: [ { date: "2023-06-07T09:23:42+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-07T09:23:42+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-10T17:52:05+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenShift Container Platform 4.10", product: { name: "Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:4.10::el7", }, }, }, { category: "product_name", name: "Red Hat OpenShift Container Platform 4.10", product: { name: "Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:4.10::el8", }, }, }, ], category: "product_family", name: "Red Hat OpenShift Enterprise", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=src", }, }, }, { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product_id: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.10.1684982411-1.el8?arch=src", }, }, }, { category: "product_version", name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product: { name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product_id: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-sushy@4.1.6-0.20230517173625.5490eb6.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.10.1684982411-1.el8?arch=noarch", }, }, }, { category: "product_version", name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product: { name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_id: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-sushy@4.1.6-0.20230517173625.5490eb6.el8?arch=noarch", }, }, }, { category: "product_version", name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product: { name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_id: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-sushy-tests@4.1.6-0.20230517173625.5490eb6.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", }, product_reference: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", }, product_reference: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", }, product_reference: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", ], known_not_affected: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-07T09:23:42+00:00", details: "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html", product_ids: [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3362", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
RHSA-2023:3663
Vulnerability from csaf_redhat
Published
2023-06-19 10:15
Modified
2025-03-14 23:17
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)
* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)
* Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)\n\n* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)\n\n* Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)\n\n* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)\n\n* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)\n\n* springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3663", url: "https://access.redhat.com/errata/RHSA-2023:3663", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2087214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087214", }, { category: "external", summary: "2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2177626", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177626", }, { category: "external", summary: "2177629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177629", }, { category: "external", summary: "2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2182864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3663.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2025-03-14T23:17:08+00:00", generator: { date: "2025-03-14T23:17:08+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3663", initial_release_date: "2023-06-19T10:15:57+00:00", revision_history: [ { date: "2023-06-19T10:15:57+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-19T10:15:57+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T23:17:08+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product: { name: "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.11::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686831596-3.el8.src", product: { name: "jenkins-0:2.401.1.1686831596-3.el8.src", product_id: "jenkins-0:2.401.1.1686831596-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686831596-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product_id: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.11.1686831822-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686831596-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.11.1686831822-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686831596-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686831596-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686831596-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686831596-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, ], }, vulnerabilities: [ { cve: "CVE-2022-2048", cwe: { id: "CWE-410", name: "Insufficient Resource Pool", }, discovery_date: "2022-08-09T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2116952", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.", title: "Vulnerability description", }, { category: "summary", text: "http2-server: Invalid HTTP/2 requests cause DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2048", }, { category: "external", summary: "RHBZ#2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2048", url: "https://www.cve.org/CVERecord?id=CVE-2022-2048", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", }, ], release_date: "2022-07-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "http2-server: Invalid HTTP/2 requests cause DoS", }, { cve: "CVE-2022-22976", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, discovery_date: "2022-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087214", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor (31) due to an integer overflow error.", title: "Vulnerability description", }, { category: "summary", text: "springframework: BCrypt skips salt rounds for work factor of 31", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-22976", }, { category: "external", summary: "RHBZ#2087214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087214", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-22976", url: "https://www.cve.org/CVERecord?id=CVE-2022-22976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-22976", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-22976", }, { category: "external", summary: "https://tanzu.vmware.com/security/cve-2022-22976", url: "https://tanzu.vmware.com/security/cve-2022-22976", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: BCrypt skips salt rounds for work factor of 31", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-26464", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182864", }, ], notes: [ { category: "description", text: "A flaw was found in Chainsaw and SocketAppender components with Log4j 1.x on JRE, less than 1.7. This issue may allow an attacker to use a logging entry with a specially-crafted hashmap or hashtable, depending on which logging component is in use, to process and exhaust the available memory in the virtual machine, resulting in a Denial of Service when the object is deserialized. This issue affects Apache Log4j before version 2.", title: "Vulnerability description", }, { category: "summary", text: "log4j1-socketappender: DoS via hashmap logging", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux 8 and 9 security impacts have been reduced to Low as they do not enable the vulnerable JDK by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-26464", }, { category: "external", summary: "RHBZ#2182864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-26464", url: "https://www.cve.org/CVERecord?id=CVE-2023-26464", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", }, { category: "external", summary: "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", url: "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", }, ], release_date: "2023-03-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j1-socketappender: DoS via hashmap logging", }, { cve: "CVE-2023-27898", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177629", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. Affected versions of Jenkins do not escape the Jenkins version that a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This issue results in a stored Cross-site scripting (XSS) vulnerability, exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: XSS vulnerability in plugin manager", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27898", }, { category: "external", summary: "RHBZ#2177629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177629", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27898", url: "https://www.cve.org/CVERecord?id=CVE-2023-27898", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27898", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27898", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Jenkins: XSS vulnerability in plugin manager", }, { cve: "CVE-2023-27899", cwe: { id: "CWE-378", name: "Creation of Temporary File With Insecure Permissions", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177626", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary plugin file created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27899", }, { category: "external", summary: "RHBZ#2177626", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177626", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27899", url: "https://www.cve.org/CVERecord?id=CVE-2023-27899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27899", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27899", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Jenkins: Temporary plugin file created with insecure permissions", }, { cve: "CVE-2023-27903", cwe: { id: "CWE-266", name: "Incorrect Privilege Assignment", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177632", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI’s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary file parameter created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27903", }, { category: "external", summary: "RHBZ#2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27903", url: "https://www.cve.org/CVERecord?id=CVE-2023-27903", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Temporary file parameter created with insecure permissions", }, { cve: "CVE-2023-27904", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177634", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Information disclosure through error stack traces related to agents", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27904", }, { category: "external", summary: "RHBZ#2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27904", url: "https://www.cve.org/CVERecord?id=CVE-2023-27904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Information disclosure through error stack traces related to agents", }, { cve: "CVE-2023-32977", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207830", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Job Plugin. Affected versions of Jenkins Pipeline: Job Plugin are vulnerable to Cross-site scripting caused by improper validation of user-supplied input. This flaw allows a remote authenticated attacker to inject malicious script into a Web page, which would then be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. The attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32977", }, { category: "external", summary: "RHBZ#2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32977", url: "https://www.cve.org/CVERecord?id=CVE-2023-32977", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", }, { cve: "CVE-2023-32981", discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207835", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing \"dot dot\" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32981", }, { category: "external", summary: "RHBZ#2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32981", url: "https://www.cve.org/CVERecord?id=CVE-2023-32981", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", }, ], }
rhsa-2024:3527
Vulnerability from csaf_redhat
Published
2024-05-30 20:24
Modified
2025-03-15 04:02
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
* guava: insecure temporary directory creation (CVE-2023-2976)
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)\n* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)\n* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)\n* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)\n* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n* guava: insecure temporary directory creation (CVE-2023-2976)\n* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)\n* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:3527", url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "ENTMQST-5619", url: "https://issues.redhat.com/browse/ENTMQST-5619", }, { category: "external", summary: "ENTMQST-5881", url: "https://issues.redhat.com/browse/ENTMQST-5881", }, { category: "external", summary: "ENTMQST-5882", url: "https://issues.redhat.com/browse/ENTMQST-5882", }, { category: "external", summary: "ENTMQST-5883", url: "https://issues.redhat.com/browse/ENTMQST-5883", }, { category: "external", summary: "ENTMQST-5884", url: "https://issues.redhat.com/browse/ENTMQST-5884", }, { category: "external", summary: "ENTMQST-5885", url: "https://issues.redhat.com/browse/ENTMQST-5885", }, { category: "external", summary: "ENTMQST-5886", url: "https://issues.redhat.com/browse/ENTMQST-5886", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3527.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update", tracking: { current_release_date: "2025-03-15T04:02:14+00:00", generator: { date: "2025-03-15T04:02:14+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:3527", initial_release_date: "2024-05-30T20:24:46+00:00", revision_history: [ { date: "2024-05-30T20:24:46+00:00", number: "1", summary: "Initial version", }, { date: "2024-06-25T17:26:45+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T04:02:14+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.7.0", product: { name: "Red Hat AMQ Streams 2.7.0", product_id: "Red Hat AMQ Streams 2.7.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-3520", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2021-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1954559", }, ], notes: [ { category: "description", text: "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", title: "Vulnerability description", }, { category: "summary", text: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", title: "Vulnerability summary", }, { category: "other", text: "This flaw is out of support scope for Red Hat Enterprise Linux 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3520", }, { category: "external", summary: "RHBZ#1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3520", url: "https://www.cve.org/CVERecord?id=CVE-2021-3520", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", }, ], release_date: "2021-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", }, { cve: "CVE-2021-24032", cwe: { id: "CWE-281", name: "Improper Preservation of Permissions", }, discovery_date: "2021-02-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1928090", }, ], notes: [ { category: "description", text: "A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).", title: "Vulnerability description", }, { category: "summary", text: "zstd: Race condition allows attacker to access world-readable destination file", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.\n\nThis vulnerability can be considered low severity rather than moderate due to the fact that the elevated file permissions are only temporary and only exist during the compression or decompression process. Once the operation completes, the file permissions revert to their intended state, mirroring those of the input file. The risk is further minimized by the fact that the exposure window is brief, and the elevated permissions are not persistent. Additionally, the issue only arises during the processing of files, and only those with larger sizes or more involved operations would be at risk.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-24032", }, { category: "external", summary: "RHBZ#1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-24032", url: "https://www.cve.org/CVERecord?id=CVE-2021-24032", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", }, ], release_date: "2021-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "zstd: Race condition allows attacker to access world-readable destination file", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-4899", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-01-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2179864", }, ], notes: [ { category: "description", text: "A vulnerability was found in zstd. This flaw allows an attacker to supply an empty string as an argument to the command line tool to cause a buffer overrun.", title: "Vulnerability description", }, { category: "summary", text: "zstd: mysql: buffer overrun in util.c", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Moderate because a buffer overrun in Zstd can be triggered by supplying an empty string as an argument to the command-line tool. On exploitation, it could lead to application crashes or unpredictable behavior.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4899", }, { category: "external", summary: "RHBZ#2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4899", url: "https://www.cve.org/CVERecord?id=CVE-2022-4899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", }, ], release_date: "2022-07-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "zstd: mysql: buffer overrun in util.c", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, { cve: "CVE-2023-33202", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2251281", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33202", }, { category: "external", summary: "RHBZ#2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33202", url: "https://www.cve.org/CVERecord?id=CVE-2023-33202", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", }, ], release_date: "2023-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", }, { cve: "CVE-2023-43642", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241722", }, ], notes: [ { category: "description", text: "A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-43642", }, { category: "external", summary: "RHBZ#2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-43642", url: "https://www.cve.org/CVERecord?id=CVE-2023-43642", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", }, { category: "external", summary: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", url: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", }, ], release_date: "2023-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-1023", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-01-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2260840", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1023", }, { category: "external", summary: "RHBZ#2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1023", url: "https://www.cve.org/CVERecord?id=CVE-2024-1023", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/issues/5078", url: "https://github.com/eclipse-vertx/vert.x/issues/5078", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5080", url: "https://github.com/eclipse-vertx/vert.x/pull/5080", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5082", url: "https://github.com/eclipse-vertx/vert.x/pull/5082", }, ], release_date: "2024-01-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", }, { cve: "CVE-2024-1300", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2263139", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", title: "Vulnerability summary", }, { category: "other", text: "This affects only TLS servers with SNI enabled.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1300", }, { category: "external", summary: "RHBZ#2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1300", url: "https://www.cve.org/CVERecord?id=CVE-2024-1300", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", }, { category: "external", summary: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", url: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", }, ], release_date: "2024-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", }, { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2024-02-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264988", }, ], notes: [ { category: "description", text: "A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-25710", }, { category: "external", summary: "RHBZ#2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-25710", url: "https://www.cve.org/CVERecord?id=CVE-2024-25710", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2024/02/19/1", url: "http://www.openwall.com/lists/oss-security/2024/02/19/1", }, { category: "external", summary: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", url: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "No mitigation is currently available for this vulnerability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, ], }
rhsa-2023_3954
Vulnerability from csaf_redhat
Published
2023-06-29 20:07
Modified
2024-12-17 22:56
Summary
Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update
Notes
Topic
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hazelcast: Hazelcast connection caching (CVE-2022-36437)
* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)
* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)
* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* hazelcast: Hazelcast connection caching (CVE-2022-36437)\n\n* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)\n\n* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)\n\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n\n* batik: Server-Side Request Forgery (CVE-2022-38398)\n\n* batik: Server-Side Request Forgery (CVE-2022-38648)\n\n* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)\n\n* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\n* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)\n\n* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)\n\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n\n* tomcat: JsonErrorReportValve injection (CVE-2022-45143)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3954", url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#critical", url: "https://access.redhat.com/security/updates/classification/#critical", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/", url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/", }, { category: "external", summary: "873317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=873317", }, { category: "external", summary: "1886587", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1886587", }, { category: "external", summary: "2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2144970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2144970", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "2158695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158695", }, { category: "external", summary: "2162053", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162053", }, { category: "external", summary: "2162206", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162206", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2174246", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "ENTESB-20598", url: "https://issues.redhat.com/browse/ENTESB-20598", }, { category: "external", summary: "ENTESB-21418", url: "https://issues.redhat.com/browse/ENTESB-21418", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3954.json", }, ], title: "Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update", tracking: { current_release_date: "2024-12-17T22:56:32+00:00", generator: { date: "2024-12-17T22:56:32+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3954", initial_release_date: "2023-06-29T20:07:23+00:00", revision_history: [ { date: "2023-06-29T20:07:23+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-29T20:07:23+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T22:56:32+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Fuse 7.12", product: { name: "Red Hat Fuse 7.12", product_id: "Red Hat Fuse 7.12", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2012-5783", discovery_date: "2012-11-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "873317", }, ], notes: [ { category: "description", text: "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", title: "Vulnerability description", }, { category: "summary", text: "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2012-5783", }, { category: "external", summary: "RHBZ#873317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=873317", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2012-5783", url: "https://www.cve.org/CVERecord?id=CVE-2012-5783", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2012-5783", url: "https://nvd.nist.gov/vuln/detail/CVE-2012-5783", }, ], release_date: "2012-10-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name", }, { cve: "CVE-2020-13956", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-10-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1886587", }, ], notes: [ { category: "description", text: "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", title: "Vulnerability description", }, { category: "summary", text: "apache-httpclient: incorrect handling of malformed authority component in request URIs", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low.\nIn OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.\n\nIn the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-13956", }, { category: "external", summary: "RHBZ#1886587", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1886587", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-13956", url: "https://www.cve.org/CVERecord?id=CVE-2020-13956", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-13956", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-13956", }, { category: "external", summary: "https://www.openwall.com/lists/oss-security/2020/10/08/4", url: "https://www.openwall.com/lists/oss-security/2020/10/08/4", }, ], release_date: "2020-10-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-httpclient: incorrect handling of malformed authority component in request URIs", }, { cve: "CVE-2022-4492", cwe: { id: "CWE-550", name: "Server-generated Error Message Containing Sensitive Information", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153260", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Server identity in https connection is not checked by the undertow client", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4492", }, { category: "external", summary: "RHBZ#2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4492", url: "https://www.cve.org/CVERecord?id=CVE-2022-4492", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", }, ], release_date: "2022-12-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: Server identity in https connection is not checked by the undertow client", }, { cve: "CVE-2022-24785", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2072009", }, ], notes: [ { category: "description", text: "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", title: "Vulnerability description", }, { category: "summary", text: "Moment.js: Path traversal in moment.locale", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24785", }, { category: "external", summary: "RHBZ#2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24785", url: "https://www.cve.org/CVERecord?id=CVE-2022-24785", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", url: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", }, ], release_date: "2022-04-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "workaround", details: "Sanitize the user-provided locale name before passing it to Moment.js.", product_ids: [ "Red Hat Fuse 7.12", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Moment.js: Path traversal in moment.locale", }, { cve: "CVE-2022-31692", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2023-01-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2162206", }, ], notes: [ { category: "description", text: "A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules.", title: "Vulnerability description", }, { category: "summary", text: "spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31692", }, { category: "external", summary: "RHBZ#2162206", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162206", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31692", url: "https://www.cve.org/CVERecord?id=CVE-2022-31692", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31692", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31692", }, { category: "external", summary: "https://spring.io/security/cve-2022-31692", url: "https://spring.io/security/cve-2022-31692", }, ], release_date: "2022-10-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security", }, { cve: "CVE-2022-36437", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2023-01-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2162053", }, ], notes: [ { category: "description", text: "A flaw was found in Hazelcast and Hazelcast Jet. This flaw may allow an attacker unauthenticated access to manipulate data in the cluster.", title: "Vulnerability description", }, { category: "summary", text: "hazelcast: Hazelcast connection caching", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration - Camel Quarkus Extensions: Hazelcast is contained in camel-quarkus-hazelcast but it does not affect any supported component. This package is community support only. Hence the low impact for Camel Quarkus Extension.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-36437", }, { category: "external", summary: "RHBZ#2162053", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162053", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-36437", url: "https://www.cve.org/CVERecord?id=CVE-2022-36437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-36437", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-36437", }, { category: "external", summary: "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp", url: "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp", }, ], release_date: "2022-12-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "hazelcast: Hazelcast connection caching", }, { cve: "CVE-2022-38398", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155292", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38398", }, { category: "external", summary: "RHBZ#2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38398", url: "https://www.cve.org/CVERecord?id=CVE-2022-38398", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903462", url: "http://svn.apache.org/viewvc?view=revision&revision=1903462", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1331", url: "https://issues.apache.org/jira/browse/BATIK-1331", }, { category: "external", summary: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", url: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38648", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155295", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38648", }, { category: "external", summary: "RHBZ#2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38648", url: "https://www.cve.org/CVERecord?id=CVE-2022-38648", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903625", url: "http://svn.apache.org/viewvc?view=revision&revision=1903625", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1333", url: "https://issues.apache.org/jira/browse/BATIK-1333", }, { category: "external", summary: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", url: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-40146", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155291", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery (SSRF) vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40146", }, { category: "external", summary: "RHBZ#2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40146", url: "https://www.cve.org/CVERecord?id=CVE-2022-40146", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903910", url: "http://svn.apache.org/viewvc?view=revision&revision=1903910", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1335", url: "https://issues.apache.org/jira/browse/BATIK-1335", }, { category: "external", summary: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", url: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery (SSRF) vulnerability", }, { cve: "CVE-2022-41704", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182182", }, ], notes: [ { category: "description", text: "A flaw was found in Batik. This issue may allow a malicious user to run untrusted Java code from an SVG.", title: "Vulnerability description", }, { category: "summary", text: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41704", }, { category: "external", summary: "RHBZ#2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41704", url: "https://www.cve.org/CVERecord?id=CVE-2022-41704", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41940", cwe: { id: "CWE-248", name: "Uncaught Exception", }, discovery_date: "2022-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2144970", }, ], notes: [ { category: "description", text: "A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "engine.io: Specially crafted HTTP request can trigger an uncaught exception", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41940", }, { category: "external", summary: "RHBZ#2144970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2144970", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41940", url: "https://www.cve.org/CVERecord?id=CVE-2022-41940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", }, ], release_date: "2022-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "engine.io: Specially crafted HTTP request can trigger an uncaught exception", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42890", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182183", }, ], notes: [ { category: "description", text: "A flaw was found in Batik of Apache XML Graphics. This issue may allow a malicious user to run Java code from untrusted SVG via JavaScript.", title: "Vulnerability description", }, { category: "summary", text: "batik: Untrusted code execution in Apache XML Graphics Batik", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42890", }, { category: "external", summary: "RHBZ#2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42890", url: "https://www.cve.org/CVERecord?id=CVE-2022-42890", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Untrusted code execution in Apache XML Graphics Batik", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2022-45143", cwe: { id: "CWE-74", name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", }, discovery_date: "2023-01-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158695", }, ], notes: [ { category: "description", text: "A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: JsonErrorReportValve injection", title: "Vulnerability summary", }, { category: "other", text: "Although it may be rated as CVSS 7.5, it's still considered a low impact flaw as according to the advisory report from Apache, user controlled data may occur in specific cases only and may alter some specific fields only.\n\nRed Hat Satellite does not include the affected Apache Tomcat, however, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45143", }, { category: "external", summary: "RHBZ#2158695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45143", url: "https://www.cve.org/CVERecord?id=CVE-2022-45143", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45143", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45143", }, { category: "external", summary: "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj", url: "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj", }, ], release_date: "2023-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: JsonErrorReportValve injection", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2022-46364", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155682", }, ], notes: [ { category: "description", text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", title: "Vulnerability description", }, { category: "summary", text: "CXF: SSRF Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46364", }, { category: "external", summary: "RHBZ#2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364", url: "https://www.cve.org/CVERecord?id=CVE-2022-46364", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "CXF: SSRF Vulnerability", }, { cve: "CVE-2023-1108", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2023-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2174246", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.", title: "Vulnerability description", }, { category: "summary", text: "Undertow: Infinite loop in SslConduit during close", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1108", }, { category: "external", summary: "RHBZ#2174246", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1108", url: "https://www.cve.org/CVERecord?id=CVE-2023-1108", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108", }, { category: "external", summary: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", }, ], release_date: "2023-03-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Undertow: Infinite loop in SslConduit during close", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-20883", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-05-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2209342", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20883", }, { category: "external", summary: "RHBZ#2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20883", url: "https://www.cve.org/CVERecord?id=CVE-2023-20883", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", }, ], release_date: "2023-05-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", }, { cve: "CVE-2023-22602", cwe: { id: "CWE-436", name: "Interpretation Conflict", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182198", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Authentication bypass through a specially crafted HTTP request", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-22602", }, { category: "external", summary: "RHBZ#2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-22602", url: "https://www.cve.org/CVERecord?id=CVE-2023-22602", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", }, ], release_date: "2023-01-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "shiro: Authentication bypass through a specially crafted HTTP request", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, ], }
rhsa-2023:3906
Vulnerability from csaf_redhat
Published
2023-06-28 15:59
Modified
2025-03-14 23:59
Summary
Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update
Notes
Topic
Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.
Details
A security update for Camel K 1.10.1 is now available.
The purpose of this text-only errata is to inform you about the security issues fixed with this release.
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)
* codehaus-plexus: Directory Traversal (CVE-2022-4244)
* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)
* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)
* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.", title: "Topic", }, { category: "general", text: "A security update for Camel K 1.10.1 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed with this release.\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)\n\n* codehaus-plexus: Directory Traversal (CVE-2022-4244)\n\n* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3906", url: "https://access.redhat.com/errata/RHSA-2023:3906", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "2149841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841", }, { category: "external", summary: "2149843", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3906.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update", tracking: { current_release_date: "2025-03-14T23:59:20+00:00", generator: { date: "2025-03-14T23:59:20+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3906", initial_release_date: "2023-06-28T15:59:12+00:00", revision_history: [ { date: "2023-06-28T15:59:12+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-28T15:59:12+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T23:59:20+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-K-1.10.1", product: { name: "RHINT Camel-K-1.10.1", product_id: "RHINT Camel-K-1.10.1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_k:1", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-4244", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2149841", }, ], notes: [ { category: "description", text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.", title: "Vulnerability description", }, { category: "summary", text: "codehaus-plexus: Directory Traversal", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4244", }, { category: "external", summary: "RHBZ#2149841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244", url: "https://www.cve.org/CVERecord?id=CVE-2022-4244", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244", }, ], release_date: "2022-12-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codehaus-plexus: Directory Traversal", }, { cve: "CVE-2022-4245", cwe: { id: "CWE-91", name: "XML Injection (aka Blind XPath Injection)", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2149843", }, ], notes: [ { category: "description", text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.", title: "Vulnerability description", }, { category: "summary", text: "codehaus-plexus: XML External Entity (XXE) Injection", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4245", }, { category: "external", summary: "RHBZ#2149843", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245", url: "https://www.cve.org/CVERecord?id=CVE-2022-4245", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245", }, ], release_date: "2022-12-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codehaus-plexus: XML External Entity (XXE) Injection", }, { cve: "CVE-2022-39368", cwe: { id: "CWE-459", name: "Incomplete Cleanup", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145205", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.", title: "Vulnerability description", }, { category: "summary", text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-39368", }, { category: "external", summary: "RHBZ#2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368", url: "https://www.cve.org/CVERecord?id=CVE-2022-39368", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", }, { category: "external", summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", }, ], release_date: "2022-11-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
rhsa-2023:7697
Vulnerability from csaf_redhat
Published
2023-12-07 13:41
Modified
2025-03-16 06:49
Summary
Red Hat Security Advisory: AMQ Clients 2023.Q4
Notes
Topic
An update is now available for Red Hat AMQ Clients
Red Hat Product Security has rated this update as having an impact of
Moderate.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed
severity rating, is available for each vulnerability from the CVE link(s) in the
References section.
Details
Each Red Hat AMQ Client enables sending, and receiving messages to or from AMQ Broker 7.
This update provides various bug fixes and enhancements in addition to the
client package versions previously released on Red Hat Enterprise Linux 8
and 9.
Security Fix(es):
* (CVE-2023-34050) springframework-amqp: Deserialization Vulnerability
* (CVE-2023-34462) netty: SniHandler 16MB allocation leads to OOM
* (CVE-2023-40167) jetty: Improper validation of HTTP/1 content-length
* (CVE-2022-1471) SnakeYaml: Constructor Deserialization Remote Code Execution
* (CVE-2022-25857) snakeyaml: Denial of Service due to missing nested depth limitation for collections
* (CVE-2022-38749) snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
* (CVE-2022-41854) dev-java/snakeyaml: DoS via stack overflow
* (CVE-2023-1370) json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat AMQ Clients\n\nRed Hat Product Security has rated this update as having an impact of\nModerate.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed\nseverity rating, is available for each vulnerability from the CVE link(s) in the\nReferences section.", title: "Topic", }, { category: "general", text: "Each Red Hat AMQ Client enables sending, and receiving messages to or from AMQ Broker 7.\n\nThis update provides various bug fixes and enhancements in addition to the\nclient package versions previously released on Red Hat Enterprise Linux 8\nand 9.\n\nSecurity Fix(es):\n\n* (CVE-2023-34050) springframework-amqp: Deserialization Vulnerability\n* (CVE-2023-34462) netty: SniHandler 16MB allocation leads to OOM\n* (CVE-2023-40167) jetty: Improper validation of HTTP/1 content-length\n* (CVE-2022-1471) SnakeYaml: Constructor Deserialization Remote Code Execution\n* (CVE-2022-25857) snakeyaml: Denial of Service due to missing nested depth limitation for collections\n* (CVE-2022-38749) snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode\n* (CVE-2022-41854) dev-java/snakeyaml: DoS via stack overflow\n* (CVE-2023-1370) json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:7697", url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.clients&version=2023.Q4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.clients&version=2023.Q4", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_amq_clients/", url: "https://access.redhat.com/documentation/en-us/red_hat_amq_clients/", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2216888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216888", }, { category: "external", summary: "2239634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2239634", }, { category: "external", summary: "2246065", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246065", }, { category: "external", summary: "ENTMQCL-1291", url: "https://issues.redhat.com/browse/ENTMQCL-1291", }, { category: "external", summary: "ENTMQCL-1517", url: "https://issues.redhat.com/browse/ENTMQCL-1517", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7697.json", }, ], title: "Red Hat Security Advisory: AMQ Clients 2023.Q4", tracking: { current_release_date: "2025-03-16T06:49:32+00:00", generator: { date: "2025-03-16T06:49:32+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:7697", initial_release_date: "2023-12-07T13:41:55+00:00", revision_history: [ { date: "2023-12-07T13:41:55+00:00", number: "1", summary: "Initial version", }, { date: "2023-12-07T13:41:55+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T06:49:32+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "AMQ Clients", product: { name: "AMQ Clients", product_id: "AMQ Clients", product_identification_helper: { cpe: "cpe:/a:redhat:amq_clients:2023_q4", }, }, }, ], category: "product_family", name: "Red Hat AMQ Clients", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-34050", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-10-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2246065", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework AMQP. An allowed list exists in Spring AMQP, but when no allowed list is provided, all classes could be deserialized, allowing a malicious user to send harmful content to the broker.", title: "Vulnerability description", }, { category: "summary", text: "springframework-amqp: Deserialization Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "This flaw requires previous knowledge and access to the messages in order to get them deserialized and possibly leak information. It also requires missing server side configurations to prevent unwanted behavior. Therefore, this is rated as a Moderate impact.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-34050", }, { category: "external", summary: "RHBZ#2246065", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246065", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-34050", url: "https://www.cve.org/CVERecord?id=CVE-2023-34050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-34050", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-34050", }, { category: "external", summary: "https://spring.io/security/cve-2023-34050", url: "https://spring.io/security/cve-2023-34050", }, ], release_date: "2023-10-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "workaround", details: "An application may be vulnerable if:\n- The SimpleMessageConverter or SerializerMessageConverter is used \n- The user does not configure allowed list patterns \n- Untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content\n\nMake sure these are avoided in order to mitigate the issue.", product_ids: [ "AMQ Clients", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework-amqp: Deserialization Vulnerability", }, { cve: "CVE-2023-34462", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-06-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2216888", }, ], notes: [ { category: "description", text: "A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.", title: "Vulnerability description", }, { category: "summary", text: "netty: SniHandler 16MB allocation leads to OOM", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-34462", }, { category: "external", summary: "RHBZ#2216888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216888", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-34462", url: "https://www.cve.org/CVERecord?id=CVE-2023-34462", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-34462", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-34462", }, ], release_date: "2023-06-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "workaround", details: "Configuration of SniHandler with an idle timeout will mitigate this issue.", product_ids: [ "AMQ Clients", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: SniHandler 16MB allocation leads to OOM", }, { cve: "CVE-2023-40167", cwe: { id: "CWE-130", name: "Improper Handling of Length Parameter Inconsistency", }, discovery_date: "2023-09-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2239634", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.", title: "Vulnerability description", }, { category: "summary", text: "jetty: Improper validation of HTTP/1 content-length", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-40167", }, { category: "external", summary: "RHBZ#2239634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2239634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-40167", url: "https://www.cve.org/CVERecord?id=CVE-2023-40167", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6", }, { category: "external", summary: "https://www.rfc-editor.org/rfc/rfc9110#section-8.6", url: "https://www.rfc-editor.org/rfc/rfc9110#section-8.6", }, ], release_date: "2023-09-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jetty: Improper validation of HTTP/1 content-length", }, ], }
rhsa-2024_3527
Vulnerability from csaf_redhat
Published
2024-05-30 20:24
Modified
2024-12-17 08:36
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
* guava: insecure temporary directory creation (CVE-2023-2976)
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)\n* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)\n* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)\n* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)\n* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n* guava: insecure temporary directory creation (CVE-2023-2976)\n* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)\n* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:3527", url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "ENTMQST-5619", url: "https://issues.redhat.com/browse/ENTMQST-5619", }, { category: "external", summary: "ENTMQST-5881", url: "https://issues.redhat.com/browse/ENTMQST-5881", }, { category: "external", summary: "ENTMQST-5882", url: "https://issues.redhat.com/browse/ENTMQST-5882", }, { category: "external", summary: "ENTMQST-5883", url: "https://issues.redhat.com/browse/ENTMQST-5883", }, { category: "external", summary: "ENTMQST-5884", url: "https://issues.redhat.com/browse/ENTMQST-5884", }, { category: "external", summary: "ENTMQST-5885", url: "https://issues.redhat.com/browse/ENTMQST-5885", }, { category: "external", summary: "ENTMQST-5886", url: "https://issues.redhat.com/browse/ENTMQST-5886", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3527.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update", tracking: { current_release_date: "2024-12-17T08:36:55+00:00", generator: { date: "2024-12-17T08:36:55+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2024:3527", initial_release_date: "2024-05-30T20:24:46+00:00", revision_history: [ { date: "2024-05-30T20:24:46+00:00", number: "1", summary: "Initial version", }, { date: "2024-06-25T17:26:45+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T08:36:55+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.7.0", product: { name: "Red Hat AMQ Streams 2.7.0", product_id: "Red Hat AMQ Streams 2.7.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-3520", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2021-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1954559", }, ], notes: [ { category: "description", text: "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", title: "Vulnerability description", }, { category: "summary", text: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", title: "Vulnerability summary", }, { category: "other", text: "This flaw is out of support scope for Red Hat Enterprise Linux 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3520", }, { category: "external", summary: "RHBZ#1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3520", url: "https://www.cve.org/CVERecord?id=CVE-2021-3520", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", }, ], release_date: "2021-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", }, { cve: "CVE-2021-24032", cwe: { id: "CWE-281", name: "Improper Preservation of Permissions", }, discovery_date: "2021-02-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1928090", }, ], notes: [ { category: "description", text: "A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).", title: "Vulnerability description", }, { category: "summary", text: "zstd: Race condition allows attacker to access world-readable destination file", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-24032", }, { category: "external", summary: "RHBZ#1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-24032", url: "https://www.cve.org/CVERecord?id=CVE-2021-24032", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", }, ], release_date: "2021-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "zstd: Race condition allows attacker to access world-readable destination file", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-4899", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-01-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2179864", }, ], notes: [ { category: "description", text: "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", title: "Vulnerability description", }, { category: "summary", text: "zstd: mysql: buffer overrun in util.c", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4899", }, { category: "external", summary: "RHBZ#2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4899", url: "https://www.cve.org/CVERecord?id=CVE-2022-4899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", }, ], release_date: "2022-07-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "zstd: mysql: buffer overrun in util.c", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, { cve: "CVE-2023-33202", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2251281", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33202", }, { category: "external", summary: "RHBZ#2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33202", url: "https://www.cve.org/CVERecord?id=CVE-2023-33202", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", }, ], release_date: "2023-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", }, { cve: "CVE-2023-43642", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241722", }, ], notes: [ { category: "description", text: "A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-43642", }, { category: "external", summary: "RHBZ#2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-43642", url: "https://www.cve.org/CVERecord?id=CVE-2023-43642", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", }, { category: "external", summary: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", url: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", }, ], release_date: "2023-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-1023", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-01-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2260840", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1023", }, { category: "external", summary: "RHBZ#2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1023", url: "https://www.cve.org/CVERecord?id=CVE-2024-1023", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/issues/5078", url: "https://github.com/eclipse-vertx/vert.x/issues/5078", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5080", url: "https://github.com/eclipse-vertx/vert.x/pull/5080", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5082", url: "https://github.com/eclipse-vertx/vert.x/pull/5082", }, ], release_date: "2024-01-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", }, { cve: "CVE-2024-1300", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2263139", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", title: "Vulnerability summary", }, { category: "other", text: "This affects only TLS servers with SNI enabled.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1300", }, { category: "external", summary: "RHBZ#2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1300", url: "https://www.cve.org/CVERecord?id=CVE-2024-1300", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", }, { category: "external", summary: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", url: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", }, ], release_date: "2024-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", }, { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2024-02-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264988", }, ], notes: [ { category: "description", text: "A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-25710", }, { category: "external", summary: "RHBZ#2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-25710", url: "https://www.cve.org/CVERecord?id=CVE-2024-25710", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2024/02/19/1", url: "http://www.openwall.com/lists/oss-security/2024/02/19/1", }, { category: "external", summary: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", url: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "No mitigation is currently available for this vulnerability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, ], }
RHSA-2023:2099
Vulnerability from csaf_redhat
Published
2023-05-03 14:05
Modified
2025-03-03 16:24
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 1 security update
Notes
Topic
A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:2099", url: "https://access.redhat.com/errata/RHSA-2023:2099", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2099.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 1 security update", tracking: { current_release_date: "2025-03-03T16:24:59+00:00", generator: { date: "2025-03-03T16:24:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.3.1", }, }, id: "RHSA-2023:2099", initial_release_date: "2023-05-03T14:05:25+00:00", revision_history: [ { date: "2023-05-03T14:05:25+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-03T14:05:25+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-03T16:24:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.18.3.P1", product: { name: "RHINT Camel-Springboot 3.18.3.P1", product_id: "RHINT Camel-Springboot 3.18.3.P1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.18.3", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:25+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2099", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20863", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2187742", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20863", }, { category: "external", summary: "RHBZ#2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20863", url: "https://www.cve.org/CVERecord?id=CVE-2023-20863", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", }, { category: "external", summary: "https://spring.io/security/cve-2023-20863", url: "https://spring.io/security/cve-2023-20863", }, ], release_date: "2023-04-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:25+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2099", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, ], }
rhsa-2023:3663
Vulnerability from csaf_redhat
Published
2023-06-19 10:15
Modified
2025-03-14 23:17
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)
* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)
* Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)\n\n* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)\n\n* Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)\n\n* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)\n\n* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)\n\n* springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3663", url: "https://access.redhat.com/errata/RHSA-2023:3663", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2087214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087214", }, { category: "external", summary: "2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2177626", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177626", }, { category: "external", summary: "2177629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177629", }, { category: "external", summary: "2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2182864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3663.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2025-03-14T23:17:08+00:00", generator: { date: "2025-03-14T23:17:08+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3663", initial_release_date: "2023-06-19T10:15:57+00:00", revision_history: [ { date: "2023-06-19T10:15:57+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-19T10:15:57+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T23:17:08+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product: { name: "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.11::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686831596-3.el8.src", product: { name: "jenkins-0:2.401.1.1686831596-3.el8.src", product_id: "jenkins-0:2.401.1.1686831596-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686831596-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product_id: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.11.1686831822-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686831596-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.11.1686831822-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686831596-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686831596-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686831596-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686831596-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, ], }, vulnerabilities: [ { cve: "CVE-2022-2048", cwe: { id: "CWE-410", name: "Insufficient Resource Pool", }, discovery_date: "2022-08-09T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2116952", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.", title: "Vulnerability description", }, { category: "summary", text: "http2-server: Invalid HTTP/2 requests cause DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2048", }, { category: "external", summary: "RHBZ#2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2048", url: "https://www.cve.org/CVERecord?id=CVE-2022-2048", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", }, ], release_date: "2022-07-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "http2-server: Invalid HTTP/2 requests cause DoS", }, { cve: "CVE-2022-22976", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, discovery_date: "2022-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087214", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor (31) due to an integer overflow error.", title: "Vulnerability description", }, { category: "summary", text: "springframework: BCrypt skips salt rounds for work factor of 31", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-22976", }, { category: "external", summary: "RHBZ#2087214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087214", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-22976", url: "https://www.cve.org/CVERecord?id=CVE-2022-22976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-22976", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-22976", }, { category: "external", summary: "https://tanzu.vmware.com/security/cve-2022-22976", url: "https://tanzu.vmware.com/security/cve-2022-22976", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: BCrypt skips salt rounds for work factor of 31", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-26464", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182864", }, ], notes: [ { category: "description", text: "A flaw was found in Chainsaw and SocketAppender components with Log4j 1.x on JRE, less than 1.7. This issue may allow an attacker to use a logging entry with a specially-crafted hashmap or hashtable, depending on which logging component is in use, to process and exhaust the available memory in the virtual machine, resulting in a Denial of Service when the object is deserialized. This issue affects Apache Log4j before version 2.", title: "Vulnerability description", }, { category: "summary", text: "log4j1-socketappender: DoS via hashmap logging", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux 8 and 9 security impacts have been reduced to Low as they do not enable the vulnerable JDK by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-26464", }, { category: "external", summary: "RHBZ#2182864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-26464", url: "https://www.cve.org/CVERecord?id=CVE-2023-26464", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", }, { category: "external", summary: "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", url: "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", }, ], release_date: "2023-03-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j1-socketappender: DoS via hashmap logging", }, { cve: "CVE-2023-27898", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177629", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. Affected versions of Jenkins do not escape the Jenkins version that a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This issue results in a stored Cross-site scripting (XSS) vulnerability, exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: XSS vulnerability in plugin manager", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27898", }, { category: "external", summary: "RHBZ#2177629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177629", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27898", url: "https://www.cve.org/CVERecord?id=CVE-2023-27898", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27898", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27898", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Jenkins: XSS vulnerability in plugin manager", }, { cve: "CVE-2023-27899", cwe: { id: "CWE-378", name: "Creation of Temporary File With Insecure Permissions", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177626", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary plugin file created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27899", }, { category: "external", summary: "RHBZ#2177626", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177626", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27899", url: "https://www.cve.org/CVERecord?id=CVE-2023-27899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27899", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27899", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Jenkins: Temporary plugin file created with insecure permissions", }, { cve: "CVE-2023-27903", cwe: { id: "CWE-266", name: "Incorrect Privilege Assignment", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177632", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI’s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary file parameter created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27903", }, { category: "external", summary: "RHBZ#2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27903", url: "https://www.cve.org/CVERecord?id=CVE-2023-27903", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Temporary file parameter created with insecure permissions", }, { cve: "CVE-2023-27904", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177634", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Information disclosure through error stack traces related to agents", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27904", }, { category: "external", summary: "RHBZ#2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27904", url: "https://www.cve.org/CVERecord?id=CVE-2023-27904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Information disclosure through error stack traces related to agents", }, { cve: "CVE-2023-32977", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207830", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Job Plugin. Affected versions of Jenkins Pipeline: Job Plugin are vulnerable to Cross-site scripting caused by improper validation of user-supplied input. This flaw allows a remote authenticated attacker to inject malicious script into a Web page, which would then be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. The attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32977", }, { category: "external", summary: "RHBZ#2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32977", url: "https://www.cve.org/CVERecord?id=CVE-2023-32977", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", }, { cve: "CVE-2023-32981", discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207835", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing \"dot dot\" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32981", }, { category: "external", summary: "RHBZ#2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32981", url: "https://www.cve.org/CVERecord?id=CVE-2023-32981", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", }, ], }
rhsa-2023_2099
Vulnerability from csaf_redhat
Published
2023-05-03 14:05
Modified
2024-12-10 17:48
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 1 security update
Notes
Topic
A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:2099", url: "https://access.redhat.com/errata/RHSA-2023:2099", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2099.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 1 security update", tracking: { current_release_date: "2024-12-10T17:48:04+00:00", generator: { date: "2024-12-10T17:48:04+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:2099", initial_release_date: "2023-05-03T14:05:25+00:00", revision_history: [ { date: "2023-05-03T14:05:25+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-03T14:05:25+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-10T17:48:04+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.18.3.P1", product: { name: "RHINT Camel-Springboot 3.18.3.P1", product_id: "RHINT Camel-Springboot 3.18.3.P1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.18.3", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:25+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2099", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20863", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2187742", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20863", }, { category: "external", summary: "RHBZ#2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20863", url: "https://www.cve.org/CVERecord?id=CVE-2023-20863", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", }, { category: "external", summary: "https://spring.io/security/cve-2023-20863", url: "https://spring.io/security/cve-2023-20863", }, ], release_date: "2023-04-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:25+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2099", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, ], }
rhsa-2023:3179
Vulnerability from csaf_redhat
Published
2023-05-17 12:29
Modified
2025-03-03 16:24
Summary
Red Hat Security Advisory: Red Hat Integration Camel Extensions For Quarkus 2.13.2-2 security update
Notes
Topic
Red Hat Integration Camel Extensions for Quarkus 2.13.2-2 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for Camel Extensions for Quarkus 2.13.2-2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel Extensions for Quarkus 2.13.2-2 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for Camel Extensions for Quarkus 2.13.2-2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3179", url: "https://access.redhat.com/errata/RHSA-2023:3179", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3179.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel Extensions For Quarkus 2.13.2-2 security update", tracking: { current_release_date: "2025-03-03T16:24:33+00:00", generator: { date: "2025-03-03T16:24:33+00:00", engine: { name: "Red Hat SDEngine", version: "4.3.1", }, }, id: "RHSA-2023:3179", initial_release_date: "2023-05-17T12:29:38+00:00", revision_history: [ { date: "2023-05-17T12:29:38+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-17T12:29:38+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-03T16:24:33+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "CEQ 2.13.2-2", product: { name: "CEQ 2.13.2-2", product_id: "CEQ 2.13.2-2", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:2.13", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "CEQ 2.13.2-2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-17T12:29:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "CEQ 2.13.2-2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3179", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CEQ 2.13.2-2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
RHSA-2023:3223
Vulnerability from csaf_redhat
Published
2023-05-18 09:54
Modified
2025-03-16 03:01
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.4.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.4.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* scala: deserialization gadget chain (CVE-2022-36944)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* netty: world readable temporary file containing sensitive data (CVE-2022-24823)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.4.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* scala: deserialization gadget chain (CVE-2022-36944)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)\n\n* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* netty: world readable temporary file containing sensitive data (CVE-2022-24823)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3223", url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "external", summary: "2154086", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2154086", }, { category: "external", summary: "2169845", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169845", }, { category: "external", summary: "2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.4.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.4.0", }, { category: "external", summary: "2004133", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004133", }, { category: "external", summary: "2004135", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004135", }, { category: "external", summary: "2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "2129809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129809", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "ENTMQST-4107", url: "https://issues.redhat.com/browse/ENTMQST-4107", }, { category: "external", summary: "2064698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2064698", }, { category: "external", summary: "ENTMQST-4541", url: "https://issues.redhat.com/browse/ENTMQST-4541", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3223.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.4.0 release and security update", tracking: { current_release_date: "2025-03-16T03:01:09+00:00", generator: { date: "2025-03-16T03:01:09+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3223", initial_release_date: "2023-05-18T09:54:05+00:00", revision_history: [ { date: "2023-05-18T09:54:05+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-18T09:54:05+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T03:01:09+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.4.0", product: { name: "Red Hat AMQ Streams 2.4.0", product_id: "Red Hat AMQ Streams 2.4.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2020-36518", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-03-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2064698", }, ], notes: [ { category: "description", text: "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: denial of service via a large depth of nested objects", title: "Vulnerability summary", }, { category: "other", text: "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-36518", }, { category: "external", summary: "RHBZ#2064698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2064698", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-36518", url: "https://www.cve.org/CVERecord?id=CVE-2020-36518", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-36518", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-36518", }, { category: "external", summary: "https://github.com/advisories/GHSA-57j2-w4cx-62h2", url: "https://github.com/advisories/GHSA-57j2-w4cx-62h2", }, ], release_date: "2020-08-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: denial of service via a large depth of nested objects", }, { cve: "CVE-2021-0341", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2154086", }, ], notes: [ { category: "description", text: "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069", title: "Vulnerability description", }, { category: "summary", text: "okhttp: information disclosure via improperly used cryptographic function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-0341", }, { category: "external", summary: "RHBZ#2154086", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2154086", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-0341", url: "https://www.cve.org/CVERecord?id=CVE-2021-0341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-0341", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-0341", }, { category: "external", summary: "https://source.android.com/security/bulletin/2021-02-01", url: "https://source.android.com/security/bulletin/2021-02-01", }, ], release_date: "2021-02-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "okhttp: information disclosure via improperly used cryptographic function", }, { cve: "CVE-2021-37136", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2004133", }, ], notes: [ { category: "description", text: "A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data", title: "Vulnerability summary", }, { category: "other", text: "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37136", }, { category: "external", summary: "RHBZ#2004133", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004133", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37136", url: "https://www.cve.org/CVERecord?id=CVE-2021-37136", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, ], release_date: "2021-09-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data", }, { cve: "CVE-2021-37137", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2004135", }, ], notes: [ { category: "description", text: "A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37137", }, { category: "external", summary: "RHBZ#2004135", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004135", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37137", url: "https://www.cve.org/CVERecord?id=CVE-2021-37137", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, ], release_date: "2021-09-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way", }, { cve: "CVE-2021-46877", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2185707", }, ], notes: [ { category: "description", text: "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-46877", }, { category: "external", summary: "RHBZ#2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-46877", url: "https://www.cve.org/CVERecord?id=CVE-2021-46877", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", }, ], release_date: "2023-03-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", }, { cve: "CVE-2022-24823", cwe: { id: "CWE-379", name: "Creation of Temporary File in Directory with Insecure Permissions", }, discovery_date: "2022-05-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087186", }, ], notes: [ { category: "description", text: "CVE-2021-21290 contains an incomplete fix, and this addresses the issue found in netty. When using multipart decoders in netty, local information disclosure can occur via the local system temporary directory if temporary storing of uploads on the disk is enabled.", title: "Vulnerability description", }, { category: "summary", text: "netty: world readable temporary file containing sensitive data", title: "Vulnerability summary", }, { category: "other", text: "This issue only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\nRed Hat Satellite 6 is not affected as is using netty 3.6.7 version which is not impacted by this vulnerability.\n\nRed Hat Fuse 7 is now in Maintenance Support Phase and should be fixed soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24823", }, { category: "external", summary: "RHBZ#2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24823", url: "https://www.cve.org/CVERecord?id=CVE-2022-24823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", }, ], release_date: "2022-05-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "workaround", details: "As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: world readable temporary file containing sensitive data", }, { cve: "CVE-2022-36944", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129809", }, ], notes: [ { category: "description", text: "A flaw was found in Scala's LazyList that permits code execution during deserialization. This issue could allow an attacker to craft a LazyList containing a malicious Function0 call to execute arbitrary code on a server that deserializes untrusted data.", title: "Vulnerability description", }, { category: "summary", text: "scala: deserialization gadget chain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-36944", }, { category: "external", summary: "RHBZ#2129809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-36944", url: "https://www.cve.org/CVERecord?id=CVE-2022-36944", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-36944", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-36944", }, { category: "external", summary: "https://github.com/scala/scala/pull/10118", url: "https://github.com/scala/scala/pull/10118", }, ], release_date: "2022-09-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "workaround", details: "Users of Scala's LazyList should never permit deserialization of untrusted data.", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "scala: deserialization gadget chain", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2023-0833", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2023-02-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2169845", }, ], notes: [ { category: "description", text: "A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.", title: "Vulnerability description", }, { category: "summary", text: "Streams: component version with information disclosure flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0833", }, { category: "external", summary: "RHBZ#2169845", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169845", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0833", url: "https://www.cve.org/CVERecord?id=CVE-2023-0833", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0833", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0833", }, { category: "external", summary: "https://github.com/square/okhttp/issues/6738", url: "https://github.com/square/okhttp/issues/6738", }, ], release_date: "2023-02-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Streams: component version with information disclosure flaw", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-25194", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2216516", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Kafka Connect's REST API that permits configuration of SASL property by an authenticated operator, which could allow connection to a malicious LDAP server and subsequent deserialization of malicious content. This issue could allow an authenticated attacker to cause a denial of service or execute arbitrary code on the server, given presence of vulnerable classes on the server's classpath.", title: "Vulnerability description", }, { category: "summary", text: "kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-25194", }, { category: "external", summary: "RHBZ#2216516", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216516", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-25194", url: "https://www.cve.org/CVERecord?id=CVE-2023-25194", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-25194", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-25194", }, { category: "external", summary: "https://kafka.apache.org/cve-list#CVE-2023-25194", url: "https://kafka.apache.org/cve-list#CVE-2023-25194", }, { category: "external", summary: "https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz", url: "https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz", }, ], release_date: "2023-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect", }, ], }
RHSA-2023:3362
Vulnerability from csaf_redhat
Published
2023-06-07 09:23
Modified
2025-03-03 16:25
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.10.61 packages and security update
Notes
Topic
Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.10.
Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.61. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:3363
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.10.\n\nRed Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.61. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2023:3363\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3362", url: "https://access.redhat.com/errata/RHSA-2023:3362", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/articles/11258", url: "https://access.redhat.com/articles/11258", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3362.json", }, ], title: "Red Hat Security Advisory: OpenShift Container Platform 4.10.61 packages and security update", tracking: { current_release_date: "2025-03-03T16:25:48+00:00", generator: { date: "2025-03-03T16:25:48+00:00", engine: { name: "Red Hat SDEngine", version: "4.3.1", }, }, id: "RHSA-2023:3362", initial_release_date: "2023-06-07T09:23:42+00:00", revision_history: [ { date: "2023-06-07T09:23:42+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-07T09:23:42+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-03T16:25:48+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenShift Container Platform 4.10", product: { name: "Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:4.10::el7", }, }, }, { category: "product_name", name: "Red Hat OpenShift Container Platform 4.10", product: { name: "Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:4.10::el8", }, }, }, ], category: "product_family", name: "Red Hat OpenShift Enterprise", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=src", }, }, }, { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product_id: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.10.1684982411-1.el8?arch=src", }, }, }, { category: "product_version", name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product: { name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product_id: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-sushy@4.1.6-0.20230517173625.5490eb6.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.10.1684982411-1.el8?arch=noarch", }, }, }, { category: "product_version", name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product: { name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_id: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-sushy@4.1.6-0.20230517173625.5490eb6.el8?arch=noarch", }, }, }, { category: "product_version", name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product: { name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_id: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-sushy-tests@4.1.6-0.20230517173625.5490eb6.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", }, product_reference: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", }, product_reference: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", }, product_reference: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", ], known_not_affected: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-07T09:23:42+00:00", details: "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html", product_ids: [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3362", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
rhsa-2023_7697
Vulnerability from csaf_redhat
Published
2023-12-07 13:41
Modified
2024-12-17 23:02
Summary
Red Hat Security Advisory: AMQ Clients 2023.Q4
Notes
Topic
An update is now available for Red Hat AMQ Clients
Red Hat Product Security has rated this update as having an impact of
Moderate.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed
severity rating, is available for each vulnerability from the CVE link(s) in the
References section.
Details
Each Red Hat AMQ Client enables sending, and receiving messages to or from AMQ Broker 7.
This update provides various bug fixes and enhancements in addition to the
client package versions previously released on Red Hat Enterprise Linux 8
and 9.
Security Fix(es):
* (CVE-2023-34050) springframework-amqp: Deserialization Vulnerability
* (CVE-2023-34462) netty: SniHandler 16MB allocation leads to OOM
* (CVE-2023-40167) jetty: Improper validation of HTTP/1 content-length
* (CVE-2022-1471) SnakeYaml: Constructor Deserialization Remote Code Execution
* (CVE-2022-25857) snakeyaml: Denial of Service due to missing nested depth limitation for collections
* (CVE-2022-38749) snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
* (CVE-2022-41854) dev-java/snakeyaml: DoS via stack overflow
* (CVE-2023-1370) json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat AMQ Clients\n\nRed Hat Product Security has rated this update as having an impact of\nModerate.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed\nseverity rating, is available for each vulnerability from the CVE link(s) in the\nReferences section.", title: "Topic", }, { category: "general", text: "Each Red Hat AMQ Client enables sending, and receiving messages to or from AMQ Broker 7.\n\nThis update provides various bug fixes and enhancements in addition to the\nclient package versions previously released on Red Hat Enterprise Linux 8\nand 9.\n\nSecurity Fix(es):\n\n* (CVE-2023-34050) springframework-amqp: Deserialization Vulnerability\n* (CVE-2023-34462) netty: SniHandler 16MB allocation leads to OOM\n* (CVE-2023-40167) jetty: Improper validation of HTTP/1 content-length\n* (CVE-2022-1471) SnakeYaml: Constructor Deserialization Remote Code Execution\n* (CVE-2022-25857) snakeyaml: Denial of Service due to missing nested depth limitation for collections\n* (CVE-2022-38749) snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode\n* (CVE-2022-41854) dev-java/snakeyaml: DoS via stack overflow\n* (CVE-2023-1370) json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:7697", url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.clients&version=2023.Q4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.clients&version=2023.Q4", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_amq_clients/", url: "https://access.redhat.com/documentation/en-us/red_hat_amq_clients/", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2216888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216888", }, { category: "external", summary: "2239634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2239634", }, { category: "external", summary: "2246065", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246065", }, { category: "external", summary: "ENTMQCL-1291", url: "https://issues.redhat.com/browse/ENTMQCL-1291", }, { category: "external", summary: "ENTMQCL-1517", url: "https://issues.redhat.com/browse/ENTMQCL-1517", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7697.json", }, ], title: "Red Hat Security Advisory: AMQ Clients 2023.Q4", tracking: { current_release_date: "2024-12-17T23:02:29+00:00", generator: { date: "2024-12-17T23:02:29+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:7697", initial_release_date: "2023-12-07T13:41:55+00:00", revision_history: [ { date: "2023-12-07T13:41:55+00:00", number: "1", summary: "Initial version", }, { date: "2023-12-07T13:41:55+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T23:02:29+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "AMQ Clients", product: { name: "AMQ Clients", product_id: "AMQ Clients", product_identification_helper: { cpe: "cpe:/a:redhat:amq_clients:2023_q4", }, }, }, ], category: "product_family", name: "Red Hat AMQ Clients", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-34050", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-10-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2246065", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework AMQP. An allowed list exists in Spring AMQP, but when no allowed list is provided, all classes could be deserialized, allowing a malicious user to send harmful content to the broker.", title: "Vulnerability description", }, { category: "summary", text: "springframework-amqp: Deserialization Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "This flaw requires previous knowledge and access to the messages in order to get them deserialized and possibly leak information. It also requires missing server side configurations to prevent unwanted behavior. Therefore, this is rated as a Moderate impact.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-34050", }, { category: "external", summary: "RHBZ#2246065", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246065", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-34050", url: "https://www.cve.org/CVERecord?id=CVE-2023-34050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-34050", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-34050", }, { category: "external", summary: "https://spring.io/security/cve-2023-34050", url: "https://spring.io/security/cve-2023-34050", }, ], release_date: "2023-10-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "workaround", details: "An application may be vulnerable if:\n- The SimpleMessageConverter or SerializerMessageConverter is used \n- The user does not configure allowed list patterns \n- Untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content\n\nMake sure these are avoided in order to mitigate the issue.", product_ids: [ "AMQ Clients", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework-amqp: Deserialization Vulnerability", }, { cve: "CVE-2023-34462", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-06-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2216888", }, ], notes: [ { category: "description", text: "A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.", title: "Vulnerability description", }, { category: "summary", text: "netty: SniHandler 16MB allocation leads to OOM", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-34462", }, { category: "external", summary: "RHBZ#2216888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216888", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-34462", url: "https://www.cve.org/CVERecord?id=CVE-2023-34462", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-34462", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-34462", }, ], release_date: "2023-06-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "workaround", details: "Configuration of SniHandler with an idle timeout will mitigate this issue.", product_ids: [ "AMQ Clients", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: SniHandler 16MB allocation leads to OOM", }, { cve: "CVE-2023-40167", cwe: { id: "CWE-130", name: "Improper Handling of Length Parameter Inconsistency", }, discovery_date: "2023-09-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2239634", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.", title: "Vulnerability description", }, { category: "summary", text: "jetty: Improper validation of HTTP/1 content-length", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-40167", }, { category: "external", summary: "RHBZ#2239634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2239634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-40167", url: "https://www.cve.org/CVERecord?id=CVE-2023-40167", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6", }, { category: "external", summary: "https://www.rfc-editor.org/rfc/rfc9110#section-8.6", url: "https://www.rfc-editor.org/rfc/rfc9110#section-8.6", }, ], release_date: "2023-09-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jetty: Improper validation of HTTP/1 content-length", }, ], }
rhsa-2023_3610
Vulnerability from csaf_redhat
Published
2023-06-15 00:17
Modified
2024-12-16 16:07
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)\n\n* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)\n\n* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3610", url: "https://access.redhat.com/errata/RHSA-2023:3610", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2155970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970", }, { category: "external", summary: "2164278", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2164278", }, { category: "external", summary: "2178358", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2178358", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3610.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2024-12-16T16:07:08+00:00", generator: { date: "2024-12-16T16:07:08+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3610", initial_release_date: "2023-06-15T00:17:42+00:00", revision_history: [ { date: "2023-06-15T00:17:42+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T00:17:42+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-16T16:07:08+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.12", product: { name: "OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.12::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686649641-3.el8.src", product: { name: "jenkins-0:2.401.1.1686649641-3.el8.src", product_id: "jenkins-0:2.401.1.1686649641-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686649641-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product_id: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686649641-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686649641-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686649641-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686649641-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686649641-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, ], }, vulnerabilities: [ { cve: "CVE-2021-46877", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-11T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2185707", }, ], notes: [ { category: "description", text: "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-46877", }, { category: "external", summary: "RHBZ#2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-46877", url: "https://www.cve.org/CVERecord?id=CVE-2021-46877", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", }, ], release_date: "2023-03-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", }, { cve: "CVE-2022-29599", cwe: { id: "CWE-77", name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", }, discovery_date: "2022-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066479", }, ], notes: [ { category: "description", text: "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.", title: "Vulnerability description", }, { category: "summary", text: "maven-shared-utils: Command injection via Commandline class", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It's worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-29599", }, { category: "external", summary: "RHBZ#2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-29599", url: "https://www.cve.org/CVERecord?id=CVE-2022-29599", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", }, ], release_date: "2020-05-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "maven-shared-utils: Command injection via Commandline class", }, { cve: "CVE-2022-30953", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119646", }, ], notes: [ { category: "description", text: "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: CSRF vulnerability in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30953", }, { category: "external", summary: "RHBZ#2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30953", url: "https://www.cve.org/CVERecord?id=CVE-2022-30953", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: CSRF vulnerability in Blue Ocean Plugin", }, { cve: "CVE-2022-30954", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119647", }, ], notes: [ { category: "description", text: "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: missing permission checks in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30954", }, { category: "external", summary: "RHBZ#2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30954", url: "https://www.cve.org/CVERecord?id=CVE-2022-30954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: missing permission checks in Blue Ocean Plugin", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-45693", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-23T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155970", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", title: "Vulnerability summary", }, { category: "other", text: "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45693", }, { category: "external", summary: "RHBZ#2155970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45693", url: "https://www.cve.org/CVERecord?id=CVE-2022-45693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-24422", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2023-01-25T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2164278", }, ], notes: [ { category: "description", text: "A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-24422", }, { category: "external", summary: "RHBZ#2164278", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2164278", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-24422", url: "https://www.cve.org/CVERecord?id=CVE-2023-24422", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-24422", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-24422", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016", url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016", }, ], release_date: "2023-01-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin", }, { cve: "CVE-2023-32977", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207830", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Job Plugin. Affected versions of Jenkins Pipeline: Job Plugin are vulnerable to Cross-site scripting caused by improper validation of user-supplied input. This flaw allows a remote authenticated attacker to inject malicious script into a Web page, which would then be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. The attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32977", }, { category: "external", summary: "RHBZ#2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32977", url: "https://www.cve.org/CVERecord?id=CVE-2023-32977", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", }, { cve: "CVE-2023-32981", discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207835", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing \"dot dot\" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32981", }, { category: "external", summary: "RHBZ#2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32981", url: "https://www.cve.org/CVERecord?id=CVE-2023-32981", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", }, ], }
rhsa-2023:3954
Vulnerability from csaf_redhat
Published
2023-06-29 20:07
Modified
2025-03-16 06:49
Summary
Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update
Notes
Topic
A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hazelcast: Hazelcast connection caching (CVE-2022-36437)
* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)
* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)
* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Critical", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A minor version update (from 7.11 to 7.12) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* hazelcast: Hazelcast connection caching (CVE-2022-36437)\n\n* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n\n* Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\n* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)\n\n* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)\n\n* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)\n\n* Moment.js: Path traversal in moment.locale (CVE-2022-24785)\n\n* batik: Server-Side Request Forgery (CVE-2022-38398)\n\n* batik: Server-Side Request Forgery (CVE-2022-38648)\n\n* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)\n\n* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\n* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)\n\n* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)\n\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n\n* tomcat: JsonErrorReportValve injection (CVE-2022-45143)\n\nFor more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3954", url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#critical", url: "https://access.redhat.com/security/updates/classification/#critical", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.12.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/", url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.12/", }, { category: "external", summary: "873317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=873317", }, { category: "external", summary: "1886587", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1886587", }, { category: "external", summary: "2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2144970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2144970", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "2158695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158695", }, { category: "external", summary: "2162053", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162053", }, { category: "external", summary: "2162206", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162206", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2174246", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "ENTESB-20598", url: "https://issues.redhat.com/browse/ENTESB-20598", }, { category: "external", summary: "ENTESB-21418", url: "https://issues.redhat.com/browse/ENTESB-21418", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3954.json", }, ], title: "Red Hat Security Advisory: Red Hat Fuse 7.12 release and security update", tracking: { current_release_date: "2025-03-16T06:49:05+00:00", generator: { date: "2025-03-16T06:49:05+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3954", initial_release_date: "2023-06-29T20:07:23+00:00", revision_history: [ { date: "2023-06-29T20:07:23+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-29T20:07:23+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T06:49:05+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Fuse 7.12", product: { name: "Red Hat Fuse 7.12", product_id: "Red Hat Fuse 7.12", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2012-5783", discovery_date: "2012-11-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "873317", }, ], notes: [ { category: "description", text: "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", title: "Vulnerability description", }, { category: "summary", text: "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2012-5783", }, { category: "external", summary: "RHBZ#873317", url: "https://bugzilla.redhat.com/show_bug.cgi?id=873317", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2012-5783", url: "https://www.cve.org/CVERecord?id=CVE-2012-5783", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2012-5783", url: "https://nvd.nist.gov/vuln/detail/CVE-2012-5783", }, ], release_date: "2012-10-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name", }, { cve: "CVE-2020-13956", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2020-10-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1886587", }, ], notes: [ { category: "description", text: "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", title: "Vulnerability description", }, { category: "summary", text: "apache-httpclient: incorrect handling of malformed authority component in request URIs", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low.\nIn OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.\n\nIn the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-13956", }, { category: "external", summary: "RHBZ#1886587", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1886587", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-13956", url: "https://www.cve.org/CVERecord?id=CVE-2020-13956", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-13956", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-13956", }, { category: "external", summary: "https://www.openwall.com/lists/oss-security/2020/10/08/4", url: "https://www.openwall.com/lists/oss-security/2020/10/08/4", }, ], release_date: "2020-10-08T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-httpclient: incorrect handling of malformed authority component in request URIs", }, { cve: "CVE-2022-4492", cwe: { id: "CWE-550", name: "Server-generated Error Message Containing Sensitive Information", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153260", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Server identity in https connection is not checked by the undertow client", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4492", }, { category: "external", summary: "RHBZ#2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4492", url: "https://www.cve.org/CVERecord?id=CVE-2022-4492", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", }, ], release_date: "2022-12-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: Server identity in https connection is not checked by the undertow client", }, { cve: "CVE-2022-24785", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-04-05T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2072009", }, ], notes: [ { category: "description", text: "A path traversal vulnerability was found in Moment.js that impacts npm (server) users. This issue occurs if a user-provided locale string is directly used to switch moment locale, which an attacker can exploit to change the correct path to one of their choice. This can result in a loss of integrity.", title: "Vulnerability description", }, { category: "summary", text: "Moment.js: Path traversal in moment.locale", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24785", }, { category: "external", summary: "RHBZ#2072009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2072009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24785", url: "https://www.cve.org/CVERecord?id=CVE-2022-24785", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", }, { category: "external", summary: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", url: "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", }, ], release_date: "2022-04-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "workaround", details: "Sanitize the user-provided locale name before passing it to Moment.js.", product_ids: [ "Red Hat Fuse 7.12", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Moment.js: Path traversal in moment.locale", }, { cve: "CVE-2022-31692", cwe: { id: "CWE-863", name: "Incorrect Authorization", }, discovery_date: "2023-01-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2162206", }, ], notes: [ { category: "description", text: "A flaw was found in the spring-security framework. Spring Security could allow a remote attacker to bypass security restrictions caused by an issue when using forward or include dispatcher types. By sending a specially-crafted request, an attacker can bypass authorization rules.", title: "Vulnerability description", }, { category: "summary", text: "spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31692", }, { category: "external", summary: "RHBZ#2162206", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162206", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31692", url: "https://www.cve.org/CVERecord?id=CVE-2022-31692", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31692", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31692", }, { category: "external", summary: "https://spring.io/security/cve-2022-31692", url: "https://spring.io/security/cve-2022-31692", }, ], release_date: "2022-10-31T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security", }, { cve: "CVE-2022-36437", cwe: { id: "CWE-384", name: "Session Fixation", }, discovery_date: "2023-01-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2162053", }, ], notes: [ { category: "description", text: "A flaw was found in Hazelcast and Hazelcast Jet. This flaw may allow an attacker unauthenticated access to manipulate data in the cluster.", title: "Vulnerability description", }, { category: "summary", text: "hazelcast: Hazelcast connection caching", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration - Camel Quarkus Extensions: Hazelcast is contained in camel-quarkus-hazelcast but it does not affect any supported component. This package is community support only. Hence the low impact for Camel Quarkus Extension.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-36437", }, { category: "external", summary: "RHBZ#2162053", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2162053", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-36437", url: "https://www.cve.org/CVERecord?id=CVE-2022-36437", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-36437", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-36437", }, { category: "external", summary: "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp", url: "https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp", }, ], release_date: "2022-12-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "hazelcast: Hazelcast connection caching", }, { cve: "CVE-2022-38398", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155292", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38398", }, { category: "external", summary: "RHBZ#2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38398", url: "https://www.cve.org/CVERecord?id=CVE-2022-38398", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903462", url: "http://svn.apache.org/viewvc?view=revision&revision=1903462", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1331", url: "https://issues.apache.org/jira/browse/BATIK-1331", }, { category: "external", summary: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", url: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38648", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155295", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38648", }, { category: "external", summary: "RHBZ#2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38648", url: "https://www.cve.org/CVERecord?id=CVE-2022-38648", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903625", url: "http://svn.apache.org/viewvc?view=revision&revision=1903625", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1333", url: "https://issues.apache.org/jira/browse/BATIK-1333", }, { category: "external", summary: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", url: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-40146", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155291", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery (SSRF) vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40146", }, { category: "external", summary: "RHBZ#2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40146", url: "https://www.cve.org/CVERecord?id=CVE-2022-40146", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903910", url: "http://svn.apache.org/viewvc?view=revision&revision=1903910", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1335", url: "https://issues.apache.org/jira/browse/BATIK-1335", }, { category: "external", summary: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", url: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery (SSRF) vulnerability", }, { cve: "CVE-2022-41704", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182182", }, ], notes: [ { category: "description", text: "A flaw was found in Batik. This issue may allow a malicious user to run untrusted Java code from an SVG.", title: "Vulnerability description", }, { category: "summary", text: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41704", }, { category: "external", summary: "RHBZ#2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41704", url: "https://www.cve.org/CVERecord?id=CVE-2022-41704", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41940", cwe: { id: "CWE-248", name: "Uncaught Exception", }, discovery_date: "2022-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2144970", }, ], notes: [ { category: "description", text: "A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "engine.io: Specially crafted HTTP request can trigger an uncaught exception", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41940", }, { category: "external", summary: "RHBZ#2144970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2144970", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41940", url: "https://www.cve.org/CVERecord?id=CVE-2022-41940", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41940", }, ], release_date: "2022-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "engine.io: Specially crafted HTTP request can trigger an uncaught exception", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42890", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182183", }, ], notes: [ { category: "description", text: "A flaw was found in Batik of Apache XML Graphics. This issue may allow a malicious user to run Java code from untrusted SVG via JavaScript.", title: "Vulnerability description", }, { category: "summary", text: "batik: Untrusted code execution in Apache XML Graphics Batik", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42890", }, { category: "external", summary: "RHBZ#2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42890", url: "https://www.cve.org/CVERecord?id=CVE-2022-42890", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Untrusted code execution in Apache XML Graphics Batik", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2022-45143", cwe: { id: "CWE-74", name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", }, discovery_date: "2023-01-06T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2158695", }, ], notes: [ { category: "description", text: "A flaw was found in the Tomcat package. This flaw allowed users to input an invalid JSON structure, causing unwanted behavior as it did not escape the type, message, or description values.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: JsonErrorReportValve injection", title: "Vulnerability summary", }, { category: "other", text: "Although it may be rated as CVSS 7.5, it's still considered a low impact flaw as according to the advisory report from Apache, user controlled data may occur in specific cases only and may alter some specific fields only.\n\nRed Hat Satellite does not include the affected Apache Tomcat, however, Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45143", }, { category: "external", summary: "RHBZ#2158695", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2158695", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45143", url: "https://www.cve.org/CVERecord?id=CVE-2022-45143", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45143", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45143", }, { category: "external", summary: "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj", url: "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj", }, ], release_date: "2023-01-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: JsonErrorReportValve injection", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2022-46364", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155682", }, ], notes: [ { category: "description", text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", title: "Vulnerability description", }, { category: "summary", text: "CXF: SSRF Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46364", }, { category: "external", summary: "RHBZ#2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364", url: "https://www.cve.org/CVERecord?id=CVE-2022-46364", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "CXF: SSRF Vulnerability", }, { cve: "CVE-2023-1108", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2023-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2174246", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.", title: "Vulnerability description", }, { category: "summary", text: "Undertow: Infinite loop in SslConduit during close", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1108", }, { category: "external", summary: "RHBZ#2174246", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1108", url: "https://www.cve.org/CVERecord?id=CVE-2023-1108", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1108", }, { category: "external", summary: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", }, ], release_date: "2023-03-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Undertow: Infinite loop in SslConduit during close", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-20883", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-05-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2209342", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20883", }, { category: "external", summary: "RHBZ#2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20883", url: "https://www.cve.org/CVERecord?id=CVE-2023-20883", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", }, ], release_date: "2023-05-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", }, { cve: "CVE-2023-22602", cwe: { id: "CWE-436", name: "Interpretation Conflict", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182198", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Authentication bypass through a specially crafted HTTP request", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-22602", }, { category: "external", summary: "RHBZ#2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-22602", url: "https://www.cve.org/CVERecord?id=CVE-2023-22602", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", }, ], release_date: "2023-01-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "shiro: Authentication bypass through a specially crafted HTTP request", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 7.12", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-29T20:07:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Fuse 7.12", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3954", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat Fuse 7.12", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, ], }
rhsa-2023_3223
Vulnerability from csaf_redhat
Published
2023-05-18 09:54
Modified
2024-12-17 21:17
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.4.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.4.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* scala: deserialization gadget chain (CVE-2022-36944)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* netty: world readable temporary file containing sensitive data (CVE-2022-24823)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.4.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* scala: deserialization gadget chain (CVE-2022-36944)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)\n\n* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* netty: world readable temporary file containing sensitive data (CVE-2022-24823)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3223", url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.4.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.4.0", }, { category: "external", summary: "2004133", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004133", }, { category: "external", summary: "2004135", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004135", }, { category: "external", summary: "2064698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2064698", }, { category: "external", summary: "2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "2129809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129809", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2154086", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2154086", }, { category: "external", summary: "2169845", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169845", }, { category: "external", summary: "2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "ENTMQST-4107", url: "https://issues.redhat.com/browse/ENTMQST-4107", }, { category: "external", summary: "ENTMQST-4541", url: "https://issues.redhat.com/browse/ENTMQST-4541", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3223.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.4.0 release and security update", tracking: { current_release_date: "2024-12-17T21:17:37+00:00", generator: { date: "2024-12-17T21:17:37+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3223", initial_release_date: "2023-05-18T09:54:05+00:00", revision_history: [ { date: "2023-05-18T09:54:05+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-18T09:54:05+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T21:17:37+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.4.0", product: { name: "Red Hat AMQ Streams 2.4.0", product_id: "Red Hat AMQ Streams 2.4.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2020-36518", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-03-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2064698", }, ], notes: [ { category: "description", text: "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: denial of service via a large depth of nested objects", title: "Vulnerability summary", }, { category: "other", text: "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-36518", }, { category: "external", summary: "RHBZ#2064698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2064698", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-36518", url: "https://www.cve.org/CVERecord?id=CVE-2020-36518", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-36518", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-36518", }, { category: "external", summary: "https://github.com/advisories/GHSA-57j2-w4cx-62h2", url: "https://github.com/advisories/GHSA-57j2-w4cx-62h2", }, ], release_date: "2020-08-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: denial of service via a large depth of nested objects", }, { cve: "CVE-2021-0341", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2154086", }, ], notes: [ { category: "description", text: "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069", title: "Vulnerability description", }, { category: "summary", text: "okhttp: information disclosure via improperly used cryptographic function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-0341", }, { category: "external", summary: "RHBZ#2154086", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2154086", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-0341", url: "https://www.cve.org/CVERecord?id=CVE-2021-0341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-0341", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-0341", }, { category: "external", summary: "https://source.android.com/security/bulletin/2021-02-01", url: "https://source.android.com/security/bulletin/2021-02-01", }, ], release_date: "2021-02-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "okhttp: information disclosure via improperly used cryptographic function", }, { cve: "CVE-2021-37136", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2004133", }, ], notes: [ { category: "description", text: "A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data", title: "Vulnerability summary", }, { category: "other", text: "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37136", }, { category: "external", summary: "RHBZ#2004133", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004133", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37136", url: "https://www.cve.org/CVERecord?id=CVE-2021-37136", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, ], release_date: "2021-09-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data", }, { cve: "CVE-2021-37137", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2004135", }, ], notes: [ { category: "description", text: "A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37137", }, { category: "external", summary: "RHBZ#2004135", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004135", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37137", url: "https://www.cve.org/CVERecord?id=CVE-2021-37137", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, ], release_date: "2021-09-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way", }, { cve: "CVE-2021-46877", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2185707", }, ], notes: [ { category: "description", text: "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-46877", }, { category: "external", summary: "RHBZ#2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-46877", url: "https://www.cve.org/CVERecord?id=CVE-2021-46877", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", }, ], release_date: "2023-03-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", }, { cve: "CVE-2022-24823", cwe: { id: "CWE-379", name: "Creation of Temporary File in Directory with Insecure Permissions", }, discovery_date: "2022-05-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087186", }, ], notes: [ { category: "description", text: "CVE-2021-21290 contains an incomplete fix, and this addresses the issue found in netty. When using multipart decoders in netty, local information disclosure can occur via the local system temporary directory if temporary storing of uploads on the disk is enabled.", title: "Vulnerability description", }, { category: "summary", text: "netty: world readable temporary file containing sensitive data", title: "Vulnerability summary", }, { category: "other", text: "This issue only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\nRed Hat Satellite 6 is not affected as is using netty 3.6.7 version which is not impacted by this vulnerability.\n\nRed Hat Fuse 7 is now in Maintenance Support Phase and should be fixed soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24823", }, { category: "external", summary: "RHBZ#2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24823", url: "https://www.cve.org/CVERecord?id=CVE-2022-24823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", }, ], release_date: "2022-05-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "workaround", details: "As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: world readable temporary file containing sensitive data", }, { cve: "CVE-2022-36944", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129809", }, ], notes: [ { category: "description", text: "A flaw was found in Scala's LazyList that permits code execution during deserialization. This issue could allow an attacker to craft a LazyList containing a malicious Function0 call to execute arbitrary code on a server that deserializes untrusted data.", title: "Vulnerability description", }, { category: "summary", text: "scala: deserialization gadget chain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-36944", }, { category: "external", summary: "RHBZ#2129809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-36944", url: "https://www.cve.org/CVERecord?id=CVE-2022-36944", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-36944", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-36944", }, { category: "external", summary: "https://github.com/scala/scala/pull/10118", url: "https://github.com/scala/scala/pull/10118", }, ], release_date: "2022-09-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "workaround", details: "Users of Scala's LazyList should never permit deserialization of untrusted data.", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "scala: deserialization gadget chain", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2023-0833", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2023-02-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2169845", }, ], notes: [ { category: "description", text: "A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.", title: "Vulnerability description", }, { category: "summary", text: "Streams: component version with information disclosure flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0833", }, { category: "external", summary: "RHBZ#2169845", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169845", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0833", url: "https://www.cve.org/CVERecord?id=CVE-2023-0833", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0833", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0833", }, { category: "external", summary: "https://github.com/square/okhttp/issues/6738", url: "https://github.com/square/okhttp/issues/6738", }, ], release_date: "2023-02-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Streams: component version with information disclosure flaw", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-25194", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2216516", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Kafka Connect's REST API that permits configuration of SASL property by an authenticated operator, which could allow connection to a malicious LDAP server and subsequent deserialization of malicious content. This issue could allow an authenticated attacker to cause a denial of service or execute arbitrary code on the server, given presence of vulnerable classes on the server's classpath.", title: "Vulnerability description", }, { category: "summary", text: "kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-25194", }, { category: "external", summary: "RHBZ#2216516", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216516", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-25194", url: "https://www.cve.org/CVERecord?id=CVE-2023-25194", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-25194", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-25194", }, { category: "external", summary: "https://kafka.apache.org/cve-list#CVE-2023-25194", url: "https://kafka.apache.org/cve-list#CVE-2023-25194", }, { category: "external", summary: "https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz", url: "https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz", }, ], release_date: "2023-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect", }, ], }
RHSA-2023:3641
Vulnerability from csaf_redhat
Published
2023-06-15 15:23
Modified
2025-03-16 06:48
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release
Notes
Topic
Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)\n\n* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3641", url: "https://access.redhat.com/errata/RHSA-2023:3641", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3641.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release", tracking: { current_release_date: "2025-03-16T06:48:55+00:00", generator: { date: "2025-03-16T06:48:55+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3641", initial_release_date: "2023-06-15T15:23:47+00:00", revision_history: [ { date: "2023-06-15T15:23:47+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T15:23:47+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T06:48:55+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.18.3.P2", product: { name: "RHINT Camel-Springboot 3.18.3.P2", product_id: "RHINT Camel-Springboot 3.18.3.P2", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.18", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-38750", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129707", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38750", }, { category: "external", summary: "RHBZ#2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38750", url: "https://www.cve.org/CVERecord?id=CVE-2022-38750", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", }, { cve: "CVE-2022-38751", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129709", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38751", }, { category: "external", summary: "RHBZ#2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38751", url: "https://www.cve.org/CVERecord?id=CVE-2022-38751", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", }, { cve: "CVE-2022-38752", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129710", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38752", }, { category: "external", summary: "RHBZ#2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38752", url: "https://www.cve.org/CVERecord?id=CVE-2022-38752", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", }, { cve: "CVE-2022-40152", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134291", }, ], notes: [ { category: "description", text: "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", title: "Vulnerability description", }, { category: "summary", text: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40152", }, { category: "external", summary: "RHBZ#2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40152", url: "https://www.cve.org/CVERecord?id=CVE-2022-40152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", }, { category: "external", summary: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", url: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40156", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134288", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40156", }, { category: "external", summary: "RHBZ#2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40156", url: "https://www.cve.org/CVERecord?id=CVE-2022-40156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-45047", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145194", }, ], notes: [ { category: "description", text: "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", title: "Vulnerability description", }, { category: "summary", text: "mina-sshd: Java unsafe deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Impact as High as there's a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it's very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45047", }, { category: "external", summary: "RHBZ#2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45047", url: "https://www.cve.org/CVERecord?id=CVE-2022-45047", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", }, { category: "external", summary: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", url: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", }, ], release_date: "2022-11-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, { category: "workaround", details: "From the maintainer:\n\nFor Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "mina-sshd: Java unsafe deserialization vulnerability", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2022-46364", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155682", }, ], notes: [ { category: "description", text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", title: "Vulnerability description", }, { category: "summary", text: "CXF: SSRF Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46364", }, { category: "external", summary: "RHBZ#2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364", url: "https://www.cve.org/CVERecord?id=CVE-2022-46364", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "CXF: SSRF Vulnerability", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20883", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-05-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2209342", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20883", }, { category: "external", summary: "RHBZ#2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20883", url: "https://www.cve.org/CVERecord?id=CVE-2023-20883", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", }, ], release_date: "2023-05-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", }, ], }
RHSA-2023:3610
Vulnerability from csaf_redhat
Published
2023-06-15 00:17
Modified
2025-03-15 00:10
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)
* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2023-24422)\n\n* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)\n\n* jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3610", url: "https://access.redhat.com/errata/RHSA-2023:3610", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2155970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970", }, { category: "external", summary: "2164278", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2164278", }, { category: "external", summary: "2178358", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2178358", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3610.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2025-03-15T00:10:48+00:00", generator: { date: "2025-03-15T00:10:48+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3610", initial_release_date: "2023-06-15T00:17:42+00:00", revision_history: [ { date: "2023-06-15T00:17:42+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T00:17:42+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T00:10:48+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.12", product: { name: "OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.12::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686649641-3.el8.src", product: { name: "jenkins-0:2.401.1.1686649641-3.el8.src", product_id: "jenkins-0:2.401.1.1686649641-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686649641-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product_id: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686649641-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686649641-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.12.1686649756-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686649641-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686649641-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686649641-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686649641-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.12.1686649756-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, ], }, vulnerabilities: [ { cve: "CVE-2021-46877", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-11T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2185707", }, ], notes: [ { category: "description", text: "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-46877", }, { category: "external", summary: "RHBZ#2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-46877", url: "https://www.cve.org/CVERecord?id=CVE-2021-46877", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", }, ], release_date: "2023-03-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", }, { cve: "CVE-2022-29599", cwe: { id: "CWE-77", name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", }, discovery_date: "2022-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066479", }, ], notes: [ { category: "description", text: "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.", title: "Vulnerability description", }, { category: "summary", text: "maven-shared-utils: Command injection via Commandline class", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It's worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-29599", }, { category: "external", summary: "RHBZ#2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-29599", url: "https://www.cve.org/CVERecord?id=CVE-2022-29599", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", }, ], release_date: "2020-05-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "maven-shared-utils: Command injection via Commandline class", }, { cve: "CVE-2022-30953", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119646", }, ], notes: [ { category: "description", text: "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: CSRF vulnerability in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30953", }, { category: "external", summary: "RHBZ#2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30953", url: "https://www.cve.org/CVERecord?id=CVE-2022-30953", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: CSRF vulnerability in Blue Ocean Plugin", }, { cve: "CVE-2022-30954", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119647", }, ], notes: [ { category: "description", text: "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: missing permission checks in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30954", }, { category: "external", summary: "RHBZ#2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30954", url: "https://www.cve.org/CVERecord?id=CVE-2022-30954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: missing permission checks in Blue Ocean Plugin", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-45693", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-23T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155970", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison, where it is vulnerable to a denial of service caused by a stack-based buffer overflow. By sending a specially-crafted request using the map parameter, a remote attacker can cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", title: "Vulnerability summary", }, { category: "other", text: "Red Hat has determined the impact of this flaw to be Moderate; a successful attack using this flaw would require the processing of untrusted, unsanitized, or unrestricted user inputs, which runs counter to established Red Hat security practices.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45693", }, { category: "external", summary: "RHBZ#2155970", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155970", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45693", url: "https://www.cve.org/CVERecord?id=CVE-2022-45693", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45693", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-24422", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2023-01-25T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2164278", }, ], notes: [ { category: "description", text: "A flaw was found in the script-security Jenkins Plugin. In affected versions of the script-security plugin, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-24422", }, { category: "external", summary: "RHBZ#2164278", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2164278", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-24422", url: "https://www.cve.org/CVERecord?id=CVE-2023-24422", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-24422", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-24422", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016", url: "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016", }, ], release_date: "2023-01-24T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin", }, { cve: "CVE-2023-32977", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207830", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Job Plugin. Affected versions of Jenkins Pipeline: Job Plugin are vulnerable to Cross-site scripting caused by improper validation of user-supplied input. This flaw allows a remote authenticated attacker to inject malicious script into a Web page, which would then be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. The attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32977", }, { category: "external", summary: "RHBZ#2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32977", url: "https://www.cve.org/CVERecord?id=CVE-2023-32977", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", }, { cve: "CVE-2023-32981", discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207835", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing \"dot dot\" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32981", }, { category: "external", summary: "RHBZ#2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32981", url: "https://www.cve.org/CVERecord?id=CVE-2023-32981", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T00:17:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3610", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.401.1.1686649641-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1686649756-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", }, ], }
rhsa-2023_3663
Vulnerability from csaf_redhat
Published
2023-06-19 10:15
Modified
2024-12-17 23:05
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)
* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)
* Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)
* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)
* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)
* springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.11.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* log4j1-chainsaw, log4j1-socketappender: DoS via hashmap logging (CVE-2023-26464)\n\n* Jenkins: XSS vulnerability in plugin manager (CVE-2023-27898)\n\n* Jenkins: Temporary plugin file created with insecure permissions (CVE-2023-27899)\n\n* jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin (CVE-2023-32977)\n\n* http2-server: Invalid HTTP/2 requests cause DoS (CVE-2022-2048)\n\n* springframework: BCrypt skips salt rounds for work factor of 31 (CVE-2022-22976)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin (CVE-2023-32981)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3663", url: "https://access.redhat.com/errata/RHSA-2023:3663", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2087214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087214", }, { category: "external", summary: "2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2177626", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177626", }, { category: "external", summary: "2177629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177629", }, { category: "external", summary: "2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2182864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3663.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2024-12-17T23:05:24+00:00", generator: { date: "2024-12-17T23:05:24+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3663", initial_release_date: "2023-06-19T10:15:57+00:00", revision_history: [ { date: "2023-06-19T10:15:57+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-19T10:15:57+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T23:05:24+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product: { name: "OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.11::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686831596-3.el8.src", product: { name: "jenkins-0:2.401.1.1686831596-3.el8.src", product_id: "jenkins-0:2.401.1.1686831596-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686831596-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product_id: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.11.1686831822-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686831596-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686831596-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.11.1686831822-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686831596-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686831596-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686831596-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686831596-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.11 for RHEL 8", product_id: "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.11.1686831822-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.11", }, ], }, vulnerabilities: [ { cve: "CVE-2022-2048", cwe: { id: "CWE-410", name: "Insufficient Resource Pool", }, discovery_date: "2022-08-09T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2116952", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Jetty http2-server package. This flaw allows an attacker to cause a denial of service in the server via HTTP/2 requests.", title: "Vulnerability description", }, { category: "summary", text: "http2-server: Invalid HTTP/2 requests cause DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-2048", }, { category: "external", summary: "RHBZ#2116952", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2116952", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-2048", url: "https://www.cve.org/CVERecord?id=CVE-2022-2048", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-2048", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgmr-mf83-7x4j", }, ], release_date: "2022-07-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "http2-server: Invalid HTTP/2 requests cause DoS", }, { cve: "CVE-2022-22976", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, discovery_date: "2022-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087214", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor (31) due to an integer overflow error.", title: "Vulnerability description", }, { category: "summary", text: "springframework: BCrypt skips salt rounds for work factor of 31", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-22976", }, { category: "external", summary: "RHBZ#2087214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087214", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-22976", url: "https://www.cve.org/CVERecord?id=CVE-2022-22976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-22976", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-22976", }, { category: "external", summary: "https://tanzu.vmware.com/security/cve-2022-22976", url: "https://tanzu.vmware.com/security/cve-2022-22976", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: BCrypt skips salt rounds for work factor of 31", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-26464", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182864", }, ], notes: [ { category: "description", text: "A flaw was found in Chainsaw and SocketAppender components with Log4j 1.x on JRE, less than 1.7. This issue may allow an attacker to use a logging entry with a specially-crafted hashmap or hashtable, depending on which logging component is in use, to process and exhaust the available memory in the virtual machine, resulting in a Denial of Service when the object is deserialized. This issue affects Apache Log4j before version 2.", title: "Vulnerability description", }, { category: "summary", text: "log4j1-socketappender: DoS via hashmap logging", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux 8 and 9 security impacts have been reduced to Low as they do not enable the vulnerable JDK by default.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-26464", }, { category: "external", summary: "RHBZ#2182864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-26464", url: "https://www.cve.org/CVERecord?id=CVE-2023-26464", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", }, { category: "external", summary: "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", url: "https://www.ibm.com/support/pages/security-bulletin-vulnerability-log4j-1216jar-affect-ibm-operations-analytics-log-analysis-cve-2023-26464", }, ], release_date: "2023-03-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "log4j1-socketappender: DoS via hashmap logging", }, { cve: "CVE-2023-27898", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177629", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. Affected versions of Jenkins do not escape the Jenkins version that a plugin depends on when rendering the error message stating its incompatibility with the current version of Jenkins in the plugin manager. This issue results in a stored Cross-site scripting (XSS) vulnerability, exploitable by attackers able to provide plugins to the configured update sites and have this message shown by Jenkins instances.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: XSS vulnerability in plugin manager", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27898", }, { category: "external", summary: "RHBZ#2177629", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177629", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27898", url: "https://www.cve.org/CVERecord?id=CVE-2023-27898", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27898", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27898", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3037", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Jenkins: XSS vulnerability in plugin manager", }, { cve: "CVE-2023-27899", cwe: { id: "CWE-378", name: "Creation of Temporary File With Insecure Permissions", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177626", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary plugin file created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27899", }, { category: "external", summary: "RHBZ#2177626", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177626", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27899", url: "https://www.cve.org/CVERecord?id=CVE-2023-27899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27899", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27899", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Jenkins: Temporary plugin file created with insecure permissions", }, { cve: "CVE-2023-27903", cwe: { id: "CWE-266", name: "Incorrect Privilege Assignment", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177632", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI’s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary file parameter created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27903", }, { category: "external", summary: "RHBZ#2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27903", url: "https://www.cve.org/CVERecord?id=CVE-2023-27903", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Temporary file parameter created with insecure permissions", }, { cve: "CVE-2023-27904", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177634", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Information disclosure through error stack traces related to agents", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27904", }, { category: "external", summary: "RHBZ#2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27904", url: "https://www.cve.org/CVERecord?id=CVE-2023-27904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Information disclosure through error stack traces related to agents", }, { cve: "CVE-2023-32977", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207830", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Job Plugin. Affected versions of Jenkins Pipeline: Job Plugin are vulnerable to Cross-site scripting caused by improper validation of user-supplied input. This flaw allows a remote authenticated attacker to inject malicious script into a Web page, which would then be executed in a victim's Web browser within the security context of the hosting Web site once the page is viewed. The attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32977", }, { category: "external", summary: "RHBZ#2207830", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207830", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32977", url: "https://www.cve.org/CVERecord?id=CVE-2023-32977", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32977", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3042", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-2-plugin: workflow-job: Stored XSS vulnerability in Pipeline: Job Plugin", }, { cve: "CVE-2023-32981", discovery_date: "2023-05-17T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2207835", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing \"dot dot\" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-32981", }, { category: "external", summary: "RHBZ#2207835", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2207835", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-32981", url: "https://www.cve.org/CVERecord?id=CVE-2023-32981", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-32981", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", url: "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196", }, ], release_date: "2023-05-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-19T10:15:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3663", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-0:2.401.1.1686831596-3.el8.src", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.noarch", "8Base-OCP-Tools-4.11:jenkins-2-plugins-0:4.11.1686831822-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin", }, ], }
rhsa-2023_3193
Vulnerability from csaf_redhat
Published
2023-05-17 15:49
Modified
2024-12-10 17:50
Summary
Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 security update
Notes
Topic
Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for Camel Extensions for Quarkus 2.7.1 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Security Fix(es):
* CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n Red Hat Product Security has rated this update as having an impact of Important.\n A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for Camel Extensions for Quarkus 2.7.1 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n Red Hat Product Security has rated this update as having an impact of Important.\n\n A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n Security Fix(es):\n\n * CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3193", url: "https://access.redhat.com/errata/RHSA-2023:3193", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/security/cve/cve-2023-1370", url: "https://access.redhat.com/security/cve/cve-2023-1370", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3193.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 security update", tracking: { current_release_date: "2024-12-10T17:50:55+00:00", generator: { date: "2024-12-10T17:50:55+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3193", initial_release_date: "2023-05-17T15:49:21+00:00", revision_history: [ { date: "2023-05-17T15:49:21+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-17T15:49:21+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-10T17:50:55+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "CEQ 2.7.1-1", product: { name: "CEQ 2.7.1-1", product_id: "CEQ 2.7.1-1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:2.7", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "CEQ 2.7.1-1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-17T15:49:21+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "CEQ 2.7.1-1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3193", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CEQ 2.7.1-1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
rhsa-2023:3622
Vulnerability from csaf_redhat
Published
2023-06-15 09:03
Modified
2025-03-14 22:08
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3622", url: "https://access.redhat.com/errata/RHSA-2023:3622", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html", url: "https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html", }, { category: "external", summary: "2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3622.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2025-03-14T22:08:02+00:00", generator: { date: "2025-03-14T22:08:02+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3622", initial_release_date: "2023-06-15T09:03:50+00:00", revision_history: [ { date: "2023-06-15T09:03:50+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T09:03:50+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T22:08:02+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.13", product: { name: "OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.13::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686680404-3.el8.src", product: { name: "jenkins-0:2.401.1.1686680404-3.el8.src", product_id: "jenkins-0:2.401.1.1686680404-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686680404-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product_id: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.13.1686680473-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686680404-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.13.1686680473-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686680404-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686680404-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686680404-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686680404-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, ], }, vulnerabilities: [ { cve: "CVE-2022-29599", cwe: { id: "CWE-77", name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", }, discovery_date: "2022-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066479", }, ], notes: [ { category: "description", text: "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.", title: "Vulnerability description", }, { category: "summary", text: "maven-shared-utils: Command injection via Commandline class", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It's worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-29599", }, { category: "external", summary: "RHBZ#2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-29599", url: "https://www.cve.org/CVERecord?id=CVE-2022-29599", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", }, ], release_date: "2020-05-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "maven-shared-utils: Command injection via Commandline class", }, { cve: "CVE-2022-30953", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119646", }, ], notes: [ { category: "description", text: "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: CSRF vulnerability in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30953", }, { category: "external", summary: "RHBZ#2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30953", url: "https://www.cve.org/CVERecord?id=CVE-2022-30953", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: CSRF vulnerability in Blue Ocean Plugin", }, { cve: "CVE-2022-30954", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119647", }, ], notes: [ { category: "description", text: "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: missing permission checks in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30954", }, { category: "external", summary: "RHBZ#2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30954", url: "https://www.cve.org/CVERecord?id=CVE-2022-30954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: missing permission checks in Blue Ocean Plugin", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-27903", cwe: { id: "CWE-266", name: "Incorrect Privilege Assignment", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177632", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI’s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary file parameter created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27903", }, { category: "external", summary: "RHBZ#2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27903", url: "https://www.cve.org/CVERecord?id=CVE-2023-27903", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Temporary file parameter created with insecure permissions", }, { cve: "CVE-2023-27904", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177634", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Information disclosure through error stack traces related to agents", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27904", }, { category: "external", summary: "RHBZ#2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27904", url: "https://www.cve.org/CVERecord?id=CVE-2023-27904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Information disclosure through error stack traces related to agents", }, ], }
RHSA-2023:3622
Vulnerability from csaf_redhat
Published
2023-06-15 09:03
Modified
2025-03-14 22:08
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3622", url: "https://access.redhat.com/errata/RHSA-2023:3622", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html", url: "https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html", }, { category: "external", summary: "2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3622.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2025-03-14T22:08:02+00:00", generator: { date: "2025-03-14T22:08:02+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3622", initial_release_date: "2023-06-15T09:03:50+00:00", revision_history: [ { date: "2023-06-15T09:03:50+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T09:03:50+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T22:08:02+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.13", product: { name: "OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.13::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686680404-3.el8.src", product: { name: "jenkins-0:2.401.1.1686680404-3.el8.src", product_id: "jenkins-0:2.401.1.1686680404-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686680404-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product_id: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.13.1686680473-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686680404-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.13.1686680473-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686680404-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686680404-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686680404-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686680404-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, ], }, vulnerabilities: [ { cve: "CVE-2022-29599", cwe: { id: "CWE-77", name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", }, discovery_date: "2022-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066479", }, ], notes: [ { category: "description", text: "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.", title: "Vulnerability description", }, { category: "summary", text: "maven-shared-utils: Command injection via Commandline class", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It's worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-29599", }, { category: "external", summary: "RHBZ#2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-29599", url: "https://www.cve.org/CVERecord?id=CVE-2022-29599", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", }, ], release_date: "2020-05-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "maven-shared-utils: Command injection via Commandline class", }, { cve: "CVE-2022-30953", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119646", }, ], notes: [ { category: "description", text: "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: CSRF vulnerability in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30953", }, { category: "external", summary: "RHBZ#2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30953", url: "https://www.cve.org/CVERecord?id=CVE-2022-30953", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: CSRF vulnerability in Blue Ocean Plugin", }, { cve: "CVE-2022-30954", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119647", }, ], notes: [ { category: "description", text: "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: missing permission checks in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30954", }, { category: "external", summary: "RHBZ#2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30954", url: "https://www.cve.org/CVERecord?id=CVE-2022-30954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: missing permission checks in Blue Ocean Plugin", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-27903", cwe: { id: "CWE-266", name: "Incorrect Privilege Assignment", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177632", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI’s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary file parameter created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27903", }, { category: "external", summary: "RHBZ#2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27903", url: "https://www.cve.org/CVERecord?id=CVE-2023-27903", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Temporary file parameter created with insecure permissions", }, { cve: "CVE-2023-27904", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177634", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Information disclosure through error stack traces related to agents", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27904", }, { category: "external", summary: "RHBZ#2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27904", url: "https://www.cve.org/CVERecord?id=CVE-2023-27904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Information disclosure through error stack traces related to agents", }, ], }
rhsa-2023:2099
Vulnerability from csaf_redhat
Published
2023-05-03 14:05
Modified
2025-03-03 16:24
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 1 security update
Notes
Topic
A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A patch is now available for Camel for Spring Boot 3.18.3. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:2099", url: "https://access.redhat.com/errata/RHSA-2023:2099", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2099.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 1 security update", tracking: { current_release_date: "2025-03-03T16:24:59+00:00", generator: { date: "2025-03-03T16:24:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.3.1", }, }, id: "RHSA-2023:2099", initial_release_date: "2023-05-03T14:05:25+00:00", revision_history: [ { date: "2023-05-03T14:05:25+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-03T14:05:25+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-03T16:24:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.18.3.P1", product: { name: "RHINT Camel-Springboot 3.18.3.P1", product_id: "RHINT Camel-Springboot 3.18.3.P1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.18.3", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:25+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2099", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-20863", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2187742", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20863", }, { category: "external", summary: "RHBZ#2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20863", url: "https://www.cve.org/CVERecord?id=CVE-2023-20863", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", }, { category: "external", summary: "https://spring.io/security/cve-2023-20863", url: "https://spring.io/security/cve-2023-20863", }, ], release_date: "2023-04-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:25+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2099", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, ], }
rhsa-2023:3223
Vulnerability from csaf_redhat
Published
2023-05-18 09:54
Modified
2025-03-16 03:01
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.4.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.4.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* scala: deserialization gadget chain (CVE-2022-36944)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)
* okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)
* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)
* netty: world readable temporary file containing sensitive data (CVE-2022-24823)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.4.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.4.0 serves as a replacement for Red Hat AMQ Streams 2.3.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* scala: deserialization gadget chain (CVE-2022-36944)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)\n\n* netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\n* jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)\n\n* netty: world readable temporary file containing sensitive data (CVE-2022-24823)\n\n* jettison: parser crash by stackoverflow (CVE-2022-40149)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* Red Hat A-MQ Streams: component version with information disclosure flaw (CVE-2023-0833)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3223", url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "external", summary: "2154086", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2154086", }, { category: "external", summary: "2169845", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169845", }, { category: "external", summary: "2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.4.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.streams&version=2.4.0", }, { category: "external", summary: "2004133", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004133", }, { category: "external", summary: "2004135", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004135", }, { category: "external", summary: "2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "2129809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129809", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "ENTMQST-4107", url: "https://issues.redhat.com/browse/ENTMQST-4107", }, { category: "external", summary: "2064698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2064698", }, { category: "external", summary: "ENTMQST-4541", url: "https://issues.redhat.com/browse/ENTMQST-4541", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3223.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.4.0 release and security update", tracking: { current_release_date: "2025-03-16T03:01:09+00:00", generator: { date: "2025-03-16T03:01:09+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3223", initial_release_date: "2023-05-18T09:54:05+00:00", revision_history: [ { date: "2023-05-18T09:54:05+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-18T09:54:05+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T03:01:09+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.4.0", product: { name: "Red Hat AMQ Streams 2.4.0", product_id: "Red Hat AMQ Streams 2.4.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2020-36518", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-03-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2064698", }, ], notes: [ { category: "description", text: "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: denial of service via a large depth of nested objects", title: "Vulnerability summary", }, { category: "other", text: "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2020-36518", }, { category: "external", summary: "RHBZ#2064698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2064698", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2020-36518", url: "https://www.cve.org/CVERecord?id=CVE-2020-36518", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2020-36518", url: "https://nvd.nist.gov/vuln/detail/CVE-2020-36518", }, { category: "external", summary: "https://github.com/advisories/GHSA-57j2-w4cx-62h2", url: "https://github.com/advisories/GHSA-57j2-w4cx-62h2", }, ], release_date: "2020-08-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: denial of service via a large depth of nested objects", }, { cve: "CVE-2021-0341", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2154086", }, ], notes: [ { category: "description", text: "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069", title: "Vulnerability description", }, { category: "summary", text: "okhttp: information disclosure via improperly used cryptographic function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-0341", }, { category: "external", summary: "RHBZ#2154086", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2154086", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-0341", url: "https://www.cve.org/CVERecord?id=CVE-2021-0341", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-0341", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-0341", }, { category: "external", summary: "https://source.android.com/security/bulletin/2021-02-01", url: "https://source.android.com/security/bulletin/2021-02-01", }, ], release_date: "2021-02-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "okhttp: information disclosure via improperly used cryptographic function", }, { cve: "CVE-2021-37136", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2004133", }, ], notes: [ { category: "description", text: "A flaw was found in Netty's netty-codec due to size restrictions for decompressed data in the Bzip2Decoder. By sending a specially-crafted input, a remote attacker could cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data", title: "Vulnerability summary", }, { category: "other", text: "In the OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack ship the vulnerable version of netty-codec package. Since the release of OCP 4.6, the Metering product has been deprecated [1], so the affected components are marked as wontfix. This may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37136", }, { category: "external", summary: "RHBZ#2004133", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004133", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37136", url: "https://www.cve.org/CVERecord?id=CVE-2021-37136", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, ], release_date: "2021-09-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data", }, { cve: "CVE-2021-37137", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2021-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2004135", }, ], notes: [ { category: "description", text: "A flaw was found in the Netty's netty-codec due to unrestricted chunk lengths in the SnappyFrameDecoder. By sending a specially-crafted input, a remote attacker could cause excessive memory usage resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\nStarting in OCP 4.7, the elasticsearch component is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37137", }, { category: "external", summary: "RHBZ#2004135", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2004135", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37137", url: "https://www.cve.org/CVERecord?id=CVE-2021-37137", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", url: "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", }, ], release_date: "2021-09-09T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way", }, { cve: "CVE-2021-46877", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-11T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2185707", }, ], notes: [ { category: "description", text: "A flaw was found in Jackson Databind. This issue may allow a malicious user to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-46877", }, { category: "external", summary: "RHBZ#2185707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2185707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-46877", url: "https://www.cve.org/CVERecord?id=CVE-2021-46877", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-46877", }, ], release_date: "2023-03-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode", }, { cve: "CVE-2022-24823", cwe: { id: "CWE-379", name: "Creation of Temporary File in Directory with Insecure Permissions", }, discovery_date: "2022-05-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2087186", }, ], notes: [ { category: "description", text: "CVE-2021-21290 contains an incomplete fix, and this addresses the issue found in netty. When using multipart decoders in netty, local information disclosure can occur via the local system temporary directory if temporary storing of uploads on the disk is enabled.", title: "Vulnerability description", }, { category: "summary", text: "netty: world readable temporary file containing sensitive data", title: "Vulnerability summary", }, { category: "other", text: "This issue only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\nRed Hat Satellite 6 is not affected as is using netty 3.6.7 version which is not impacted by this vulnerability.\n\nRed Hat Fuse 7 is now in Maintenance Support Phase and should be fixed soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-24823", }, { category: "external", summary: "RHBZ#2087186", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2087186", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-24823", url: "https://www.cve.org/CVERecord?id=CVE-2022-24823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-24823", }, ], release_date: "2022-05-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "workaround", details: "As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: world readable temporary file containing sensitive data", }, { cve: "CVE-2022-36944", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129809", }, ], notes: [ { category: "description", text: "A flaw was found in Scala's LazyList that permits code execution during deserialization. This issue could allow an attacker to craft a LazyList containing a malicious Function0 call to execute arbitrary code on a server that deserializes untrusted data.", title: "Vulnerability description", }, { category: "summary", text: "scala: deserialization gadget chain", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-36944", }, { category: "external", summary: "RHBZ#2129809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-36944", url: "https://www.cve.org/CVERecord?id=CVE-2022-36944", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-36944", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-36944", }, { category: "external", summary: "https://github.com/scala/scala/pull/10118", url: "https://github.com/scala/scala/pull/10118", }, ], release_date: "2022-09-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, { category: "workaround", details: "Users of Scala's LazyList should never permit deserialization of untrusted data.", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "scala: deserialization gadget chain", }, { cve: "CVE-2022-40149", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135771", }, ], notes: [ { category: "description", text: "A stack-based buffer overflow vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. This flaw allows an attacker to supply content that causes the parser to crash by writing outside the memory bounds if the parser is running on user-supplied input, resulting in a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: parser crash by stackoverflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40149", }, { category: "external", summary: "RHBZ#2135771", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135771", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40149", url: "https://www.cve.org/CVERecord?id=CVE-2022-40149", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40149", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: parser crash by stackoverflow", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2023-0833", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2023-02-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2169845", }, ], notes: [ { category: "description", text: "A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.", title: "Vulnerability description", }, { category: "summary", text: "Streams: component version with information disclosure flaw", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-0833", }, { category: "external", summary: "RHBZ#2169845", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169845", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-0833", url: "https://www.cve.org/CVERecord?id=CVE-2023-0833", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-0833", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-0833", }, { category: "external", summary: "https://github.com/square/okhttp/issues/6738", url: "https://github.com/square/okhttp/issues/6738", }, ], release_date: "2023-02-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Streams: component version with information disclosure flaw", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-25194", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2216516", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Kafka Connect's REST API that permits configuration of SASL property by an authenticated operator, which could allow connection to a malicious LDAP server and subsequent deserialization of malicious content. This issue could allow an authenticated attacker to cause a denial of service or execute arbitrary code on the server, given presence of vulnerable classes on the server's classpath.", title: "Vulnerability description", }, { category: "summary", text: "kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.4.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-25194", }, { category: "external", summary: "RHBZ#2216516", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216516", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-25194", url: "https://www.cve.org/CVERecord?id=CVE-2023-25194", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-25194", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-25194", }, { category: "external", summary: "https://kafka.apache.org/cve-list#CVE-2023-25194", url: "https://kafka.apache.org/cve-list#CVE-2023-25194", }, { category: "external", summary: "https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz", url: "https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz", }, ], release_date: "2023-02-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-18T09:54:05+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat AMQ Streams 2.4.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3223", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.4.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "kafka: RCE/DoS via SASL JAAS JndiLoginModule configuration in Kafka Connect", }, ], }
RHSA-2023:3179
Vulnerability from csaf_redhat
Published
2023-05-17 12:29
Modified
2025-03-03 16:24
Summary
Red Hat Security Advisory: Red Hat Integration Camel Extensions For Quarkus 2.13.2-2 security update
Notes
Topic
Red Hat Integration Camel Extensions for Quarkus 2.13.2-2 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for Camel Extensions for Quarkus 2.13.2-2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel Extensions for Quarkus 2.13.2-2 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for Camel Extensions for Quarkus 2.13.2-2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3179", url: "https://access.redhat.com/errata/RHSA-2023:3179", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3179.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel Extensions For Quarkus 2.13.2-2 security update", tracking: { current_release_date: "2025-03-03T16:24:33+00:00", generator: { date: "2025-03-03T16:24:33+00:00", engine: { name: "Red Hat SDEngine", version: "4.3.1", }, }, id: "RHSA-2023:3179", initial_release_date: "2023-05-17T12:29:38+00:00", revision_history: [ { date: "2023-05-17T12:29:38+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-17T12:29:38+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-03T16:24:33+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "CEQ 2.13.2-2", product: { name: "CEQ 2.13.2-2", product_id: "CEQ 2.13.2-2", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:2.13", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "CEQ 2.13.2-2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-17T12:29:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "CEQ 2.13.2-2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3179", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CEQ 2.13.2-2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
RHSA-2023:2100
Vulnerability from csaf_redhat
Published
2023-05-03 14:05
Modified
2025-03-16 06:49
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.1 security update
Notes
Topic
Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)
* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)
* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)
* apache-ivy: Directory Traversal (CVE-2022-37865)
* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel for Spring Boot 3.20.1 release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Camel for Spring Boot 3.20.1 serves as a replacement for Camel for Spring Boot 3.18.3 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* JXPath: untrusted XPath expressions may lead to RCE attack (CVE-2022-41852)\n\n* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* apache-commons-net: FTP client trusts the host from PASV response by default (CVE-2021-37533)\n\n* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)\n\n* apache-spark: XSS vulnerability in log viewer UI Javascript (CVE-2022-31777)\n\n* Apache Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM (CVE-2022-33681)\n\n* apache-ivy: Directory Traversal (CVE-2022-37865)\n\n* : Apache Ivy: Ivy Path traversal (CVE-2022-37866)\n\n* batik: Server-Side Request Forgery (CVE-2022-38398)\n\n* batik: Server-Side Request Forgery (CVE-2022-38648)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40151)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)\n\n* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)\n\n* Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)\n\n* jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20863)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:2100", url: "https://access.redhat.com/errata/RHSA-2023:2100", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "2134292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134292", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "2136128", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136128", }, { category: "external", summary: "2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "2136207", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136207", }, { category: "external", summary: "2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "2145264", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145264", }, { category: "external", summary: "2150011", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150011", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "2169924", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169924", }, { category: "external", summary: "2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "2172298", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2172298", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "2182188", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182188", }, { category: "external", summary: "2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_2100.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.1 security update", tracking: { current_release_date: "2025-03-16T06:49:26+00:00", generator: { date: "2025-03-16T06:49:26+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:2100", initial_release_date: "2023-05-03T14:05:29+00:00", revision_history: [ { date: "2023-05-03T14:05:29+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-03T14:05:29+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T06:49:26+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.20.1", product: { name: "RHINT Camel-Springboot 3.20.1", product_id: "RHINT Camel-Springboot 3.20.1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.20.1", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-37533", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2023-02-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2169924", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about services running on the private network of the client.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-net: FTP client trusts the host from PASV response by default", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-37533", }, { category: "external", summary: "RHBZ#2169924", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2169924", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-37533", url: "https://www.cve.org/CVERecord?id=CVE-2021-37533", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-37533", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-37533", }, ], release_date: "2023-02-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-net: FTP client trusts the host from PASV response by default", }, { cve: "CVE-2022-4492", cwe: { id: "CWE-550", name: "Server-generated Error Message Containing Sensitive Information", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153260", }, ], notes: [ { category: "description", text: "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Server identity in https connection is not checked by the undertow client", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4492", }, { category: "external", summary: "RHBZ#2153260", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153260", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4492", url: "https://www.cve.org/CVERecord?id=CVE-2022-4492", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4492", }, ], release_date: "2022-12-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "undertow: Server identity in https connection is not checked by the undertow client", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-31777", cwe: { id: "CWE-74", name: "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145264", }, ], notes: [ { category: "description", text: "A stored cross-site scripting (XSS) flaw was found in Apache Spark. This issue allows an attacker to execute arbitrary JavaScript in the web browser of a user, including a malicious payload into the logs which are returned in logs rendered in the UI.", title: "Vulnerability description", }, { category: "summary", text: "apache-spark: XSS vulnerability in log viewer UI Javascript", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-31777", }, { category: "external", summary: "RHBZ#2145264", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145264", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-31777", url: "https://www.cve.org/CVERecord?id=CVE-2022-31777", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-31777", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-31777", }, ], release_date: "2022-11-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-spark: XSS vulnerability in log viewer UI Javascript", }, { cve: "CVE-2022-33681", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136207", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Pulsar Java Client. This flaw allows an attacker to use a Man-in-the-Middle (MITM) attack, manipulating network traffic and gaining the client's authentication data.", title: "Vulnerability description", }, { category: "summary", text: "Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-33681", }, { category: "external", summary: "RHBZ#2136207", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136207", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-33681", url: "https://www.cve.org/CVERecord?id=CVE-2022-33681", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-33681", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-33681", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Pulsar: Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM", }, { cve: "CVE-2022-37865", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182188", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Ivy. With Apache Ivy 2.4.0, an optional packaging attribute was introduced that allows artifacts to be unpacked on the fly if pack200 or zip packaging was used. This issue could allow a malicious used to have unwanted access.", title: "Vulnerability description", }, { category: "summary", text: "apache-ivy: Directory Traversal", title: "Vulnerability summary", }, { category: "other", text: "Although the CVSS states High according to NIST, due to the nature of this flaw, considering it's an optional attribute and there must be restrictions in other layers to prevent attacks, this flaw is taken as a Moderate following the Medium impact from Apache.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-37865", }, { category: "external", summary: "RHBZ#2182188", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182188", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-37865", url: "https://www.cve.org/CVERecord?id=CVE-2022-37865", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-37865", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-37865", }, { category: "external", summary: "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy", url: "https://lists.apache.org/thread/gqvvv7qsm2dfjg6xzsw1s2h08tbr0sdy", }, ], release_date: "2022-11-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.1, baseSeverity: "CRITICAL", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-ivy: Directory Traversal", }, { cve: "CVE-2022-37866", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150011", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Ivy. This may allow an attacker to place artifacts inside and outside of Ivy's repository and overwrite artifacts that the user will use later.", title: "Vulnerability description", }, { category: "summary", text: "Ivy: Ivy Path traversal", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-37866", }, { category: "external", summary: "RHBZ#2150011", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150011", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-37866", url: "https://www.cve.org/CVERecord?id=CVE-2022-37866", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-37866", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-37866", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Ivy: Ivy Path traversal", }, { cve: "CVE-2022-38398", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155292", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to load a url thru the jar protocol. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38398", }, { category: "external", summary: "RHBZ#2155292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38398", url: "https://www.cve.org/CVERecord?id=CVE-2022-38398", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38398", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903462", url: "http://svn.apache.org/viewvc?view=revision&revision=1903462", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1331", url: "https://issues.apache.org/jira/browse/BATIK-1331", }, { category: "external", summary: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", url: "https://lists.apache.org/thread/712c9xwtmyghyokzrm2ml6sps4xlmbsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38648", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155295", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to fetch external resources. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38648", }, { category: "external", summary: "RHBZ#2155295", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155295", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38648", url: "https://www.cve.org/CVERecord?id=CVE-2022-38648", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38648", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903625", url: "http://svn.apache.org/viewvc?view=revision&revision=1903625", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1333", url: "https://issues.apache.org/jira/browse/BATIK-1333", }, { category: "external", summary: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", url: "https://lists.apache.org/thread/gfsktxvj7jtwyovmhhbrw0bs13wfjd7b", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-38750", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129707", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38750", }, { category: "external", summary: "RHBZ#2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38750", url: "https://www.cve.org/CVERecord?id=CVE-2022-38750", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", }, { cve: "CVE-2022-38751", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129709", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38751", }, { category: "external", summary: "RHBZ#2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38751", url: "https://www.cve.org/CVERecord?id=CVE-2022-38751", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", }, { cve: "CVE-2022-38752", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129710", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38752", }, { category: "external", summary: "RHBZ#2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38752", url: "https://www.cve.org/CVERecord?id=CVE-2022-38752", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", }, { cve: "CVE-2022-39368", cwe: { id: "CWE-459", name: "Incomplete Cleanup", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145205", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.", title: "Vulnerability description", }, { category: "summary", text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-39368", }, { category: "external", summary: "RHBZ#2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368", url: "https://www.cve.org/CVERecord?id=CVE-2022-39368", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", }, { category: "external", summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", }, ], release_date: "2022-11-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", }, { cve: "CVE-2022-40146", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155291", }, ], notes: [ { category: "description", text: "Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XML Graphics allows an attacker to access files using a Jar url. This issue affects Apache XML Graphics Batik 1.14.", title: "Vulnerability description", }, { category: "summary", text: "batik: Server-Side Request Forgery (SSRF) vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40146", }, { category: "external", summary: "RHBZ#2155291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40146", url: "https://www.cve.org/CVERecord?id=CVE-2022-40146", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40146", }, { category: "external", summary: "http://svn.apache.org/viewvc?view=revision&revision=1903910", url: "http://svn.apache.org/viewvc?view=revision&revision=1903910", }, { category: "external", summary: "https://issues.apache.org/jira/browse/BATIK-1335", url: "https://issues.apache.org/jira/browse/BATIK-1335", }, { category: "external", summary: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", url: "https://lists.apache.org/thread/hxtddqjty2sbs12y97c8g7xfh17jzxsx", }, ], release_date: "2022-09-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Server-Side Request Forgery (SSRF) vulnerability", }, { cve: "CVE-2022-40150", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135770", }, ], notes: [ { category: "description", text: "A vulnerability was found in Jettison, where parsing an untrusted XML or JSON data may lead to a crash. If the parser is running on user-supplied input, an attacker may supply content that causes the parser to crash, causing memory exhaustion. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "jettison: memory exhaustion via user-supplied XML or JSON data", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40150", }, { category: "external", summary: "RHBZ#2135770", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135770", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40150", url: "https://www.cve.org/CVERecord?id=CVE-2022-40150", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40150", }, { category: "external", summary: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", url: "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1", }, ], release_date: "2022-09-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "jettison: memory exhaustion via user-supplied XML or JSON data", }, { cve: "CVE-2022-40151", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134292", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40151", }, { category: "external", summary: "RHBZ#2134292", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134292", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40151", url: "https://www.cve.org/CVERecord?id=CVE-2022-40151", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40151", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40152", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134291", }, ], notes: [ { category: "description", text: "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", title: "Vulnerability description", }, { category: "summary", text: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40152", }, { category: "external", summary: "RHBZ#2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40152", url: "https://www.cve.org/CVERecord?id=CVE-2022-40152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", }, { category: "external", summary: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", url: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40156", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134288", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40156", }, { category: "external", summary: "RHBZ#2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40156", url: "https://www.cve.org/CVERecord?id=CVE-2022-40156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-41704", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182182", }, ], notes: [ { category: "description", text: "A flaw was found in Batik. This issue may allow a malicious user to run untrusted Java code from an SVG.", title: "Vulnerability description", }, { category: "summary", text: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41704", }, { category: "external", summary: "RHBZ#2182182", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182182", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41704", url: "https://www.cve.org/CVERecord?id=CVE-2022-41704", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41704", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Apache XML Graphics Batik vulnerable to code execution via SVG", }, { cve: "CVE-2022-41852", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136128", }, ], notes: [ { category: "description", text: "A flaw was found in the Apache Commons JXPath package. This flaw allows an attacker to use the interpreter to execute untrusted expressions and a remote code attack.", title: "Vulnerability description", }, { category: "summary", text: "JXPath: untrusted XPath expressions may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41852", }, { category: "external", summary: "RHBZ#2136128", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136128", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41852", url: "https://www.cve.org/CVERecord?id=CVE-2022-41852", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41852", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41852", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "JXPath: untrusted XPath expressions may lead to RCE attack", }, { cve: "CVE-2022-41853", cwe: { id: "CWE-470", name: "Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", }, discovery_date: "2022-10-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2136141", }, ], notes: [ { category: "description", text: "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.", title: "Vulnerability description", }, { category: "summary", text: "hsqldb: Untrusted input may lead to RCE attack", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41853", }, { category: "external", summary: "RHBZ#2136141", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2136141", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41853", url: "https://www.cve.org/CVERecord?id=CVE-2022-41853", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41853", }, { category: "external", summary: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", url: "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control", }, { category: "external", summary: "https://github.com/advisories/GHSA-77xx-rxvh-q682", url: "https://github.com/advisories/GHSA-77xx-rxvh-q682", }, ], release_date: "2022-10-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, { category: "workaround", details: "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "hsqldb: Untrusted input may lead to RCE attack", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-41881", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153379", }, ], notes: [ { category: "description", text: "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41881", }, { category: "external", summary: "RHBZ#2153379", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153379", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41881", url: "https://www.cve.org/CVERecord?id=CVE-2022-41881", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41881", }, ], release_date: "2022-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS", }, { cve: "CVE-2022-41966", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-02-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2170431", }, ], notes: [ { category: "description", text: "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41966", }, { category: "external", summary: "RHBZ#2170431", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2170431", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41966", url: "https://www.cve.org/CVERecord?id=CVE-2022-41966", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41966", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv", }, ], release_date: "2022-12-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-42890", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182183", }, ], notes: [ { category: "description", text: "A flaw was found in Batik of Apache XML Graphics. This issue may allow a malicious user to run Java code from untrusted SVG via JavaScript.", title: "Vulnerability description", }, { category: "summary", text: "batik: Untrusted code execution in Apache XML Graphics Batik", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42890", }, { category: "external", summary: "RHBZ#2182183", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182183", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42890", url: "https://www.cve.org/CVERecord?id=CVE-2022-42890", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42890", }, ], release_date: "2022-10-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "batik: Untrusted code execution in Apache XML Graphics Batik", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-20863", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-04-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2187742", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. Certain versions of Spring Framework's Expression Language were not restricting the size of Spring Expressions. This could allow an attacker to craft a malicious Spring Expression to cause a denial of service on the server.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20863", }, { category: "external", summary: "RHBZ#2187742", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2187742", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20863", url: "https://www.cve.org/CVERecord?id=CVE-2023-20863", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", }, { category: "external", summary: "https://spring.io/security/cve-2023-20863", url: "https://spring.io/security/cve-2023-20863", }, ], release_date: "2023-04-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-22602", cwe: { id: "CWE-436", name: "Interpretation Conflict", }, discovery_date: "2023-03-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182198", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Shiro. This issue may allow a malicious user to send a specially crafted HTTP request that could cause an authentication bypass.", title: "Vulnerability description", }, { category: "summary", text: "shiro: Authentication bypass through a specially crafted HTTP request", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-22602", }, { category: "external", summary: "RHBZ#2182198", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182198", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-22602", url: "https://www.cve.org/CVERecord?id=CVE-2023-22602", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-22602", }, ], release_date: "2023-01-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "shiro: Authentication bypass through a specially crafted HTTP request", }, { cve: "CVE-2023-24998", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-02-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2172298", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service.\r\n\r\nWhile Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.", title: "Vulnerability description", }, { category: "summary", text: "FileUpload: FileUpload DoS with excessive parts", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-24998", }, { category: "external", summary: "RHBZ#2172298", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2172298", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-24998", url: "https://www.cve.org/CVERecord?id=CVE-2023-24998", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-24998", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-24998", }, { category: "external", summary: "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5", url: "https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5", }, ], release_date: "2023-02-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-03T14:05:29+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:2100", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "FileUpload: FileUpload DoS with excessive parts", }, ], }
rhsa-2023_3906
Vulnerability from csaf_redhat
Published
2023-06-28 15:59
Modified
2024-12-10 17:53
Summary
Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update
Notes
Topic
Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.
Details
A security update for Camel K 1.10.1 is now available.
The purpose of this text-only errata is to inform you about the security issues fixed with this release.
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)
* codehaus-plexus: Directory Traversal (CVE-2022-4244)
* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)
* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)
* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.", title: "Topic", }, { category: "general", text: "A security update for Camel K 1.10.1 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed with this release.\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)\n\n* codehaus-plexus: Directory Traversal (CVE-2022-4244)\n\n* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3906", url: "https://access.redhat.com/errata/RHSA-2023:3906", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "2149841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841", }, { category: "external", summary: "2149843", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3906.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update", tracking: { current_release_date: "2024-12-10T17:53:41+00:00", generator: { date: "2024-12-10T17:53:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3906", initial_release_date: "2023-06-28T15:59:12+00:00", revision_history: [ { date: "2023-06-28T15:59:12+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-28T15:59:12+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-10T17:53:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-K-1.10.1", product: { name: "RHINT Camel-K-1.10.1", product_id: "RHINT Camel-K-1.10.1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_k:1", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-4244", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2149841", }, ], notes: [ { category: "description", text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.", title: "Vulnerability description", }, { category: "summary", text: "codehaus-plexus: Directory Traversal", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4244", }, { category: "external", summary: "RHBZ#2149841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244", url: "https://www.cve.org/CVERecord?id=CVE-2022-4244", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244", }, ], release_date: "2022-12-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codehaus-plexus: Directory Traversal", }, { cve: "CVE-2022-4245", cwe: { id: "CWE-91", name: "XML Injection (aka Blind XPath Injection)", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2149843", }, ], notes: [ { category: "description", text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.", title: "Vulnerability description", }, { category: "summary", text: "codehaus-plexus: XML External Entity (XXE) Injection", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4245", }, { category: "external", summary: "RHBZ#2149843", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245", url: "https://www.cve.org/CVERecord?id=CVE-2022-4245", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245", }, ], release_date: "2022-12-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codehaus-plexus: XML External Entity (XXE) Injection", }, { cve: "CVE-2022-39368", cwe: { id: "CWE-459", name: "Incomplete Cleanup", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145205", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.", title: "Vulnerability description", }, { category: "summary", text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-39368", }, { category: "external", summary: "RHBZ#2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368", url: "https://www.cve.org/CVERecord?id=CVE-2022-39368", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", }, { category: "external", summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", }, ], release_date: "2022-11-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
rhsa-2023_3179
Vulnerability from csaf_redhat
Published
2023-05-17 12:29
Modified
2024-12-10 17:50
Summary
Red Hat Security Advisory: Red Hat Integration Camel Extensions For Quarkus 2.13.2-2 security update
Notes
Topic
Red Hat Integration Camel Extensions for Quarkus 2.13.2-2 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for Camel Extensions for Quarkus 2.13.2-2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel Extensions for Quarkus 2.13.2-2 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for Camel Extensions for Quarkus 2.13.2-2 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3179", url: "https://access.redhat.com/errata/RHSA-2023:3179", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3179.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel Extensions For Quarkus 2.13.2-2 security update", tracking: { current_release_date: "2024-12-10T17:50:46+00:00", generator: { date: "2024-12-10T17:50:46+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3179", initial_release_date: "2023-05-17T12:29:38+00:00", revision_history: [ { date: "2023-05-17T12:29:38+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-17T12:29:38+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-10T17:50:46+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "CEQ 2.13.2-2", product: { name: "CEQ 2.13.2-2", product_id: "CEQ 2.13.2-2", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:2.13", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "CEQ 2.13.2-2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-17T12:29:38+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "CEQ 2.13.2-2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3179", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CEQ 2.13.2-2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
RHSA-2023:7697
Vulnerability from csaf_redhat
Published
2023-12-07 13:41
Modified
2025-03-16 06:49
Summary
Red Hat Security Advisory: AMQ Clients 2023.Q4
Notes
Topic
An update is now available for Red Hat AMQ Clients
Red Hat Product Security has rated this update as having an impact of
Moderate.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed
severity rating, is available for each vulnerability from the CVE link(s) in the
References section.
Details
Each Red Hat AMQ Client enables sending, and receiving messages to or from AMQ Broker 7.
This update provides various bug fixes and enhancements in addition to the
client package versions previously released on Red Hat Enterprise Linux 8
and 9.
Security Fix(es):
* (CVE-2023-34050) springframework-amqp: Deserialization Vulnerability
* (CVE-2023-34462) netty: SniHandler 16MB allocation leads to OOM
* (CVE-2023-40167) jetty: Improper validation of HTTP/1 content-length
* (CVE-2022-1471) SnakeYaml: Constructor Deserialization Remote Code Execution
* (CVE-2022-25857) snakeyaml: Denial of Service due to missing nested depth limitation for collections
* (CVE-2022-38749) snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
* (CVE-2022-41854) dev-java/snakeyaml: DoS via stack overflow
* (CVE-2023-1370) json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat AMQ Clients\n\nRed Hat Product Security has rated this update as having an impact of\nModerate.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed\nseverity rating, is available for each vulnerability from the CVE link(s) in the\nReferences section.", title: "Topic", }, { category: "general", text: "Each Red Hat AMQ Client enables sending, and receiving messages to or from AMQ Broker 7.\n\nThis update provides various bug fixes and enhancements in addition to the\nclient package versions previously released on Red Hat Enterprise Linux 8\nand 9.\n\nSecurity Fix(es):\n\n* (CVE-2023-34050) springframework-amqp: Deserialization Vulnerability\n* (CVE-2023-34462) netty: SniHandler 16MB allocation leads to OOM\n* (CVE-2023-40167) jetty: Improper validation of HTTP/1 content-length\n* (CVE-2022-1471) SnakeYaml: Constructor Deserialization Remote Code Execution\n* (CVE-2022-25857) snakeyaml: Denial of Service due to missing nested depth limitation for collections\n* (CVE-2022-38749) snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode\n* (CVE-2022-41854) dev-java/snakeyaml: DoS via stack overflow\n* (CVE-2023-1370) json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:7697", url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.clients&version=2023.Q4", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.clients&version=2023.Q4", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_amq_clients/", url: "https://access.redhat.com/documentation/en-us/red_hat_amq_clients/", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2216888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216888", }, { category: "external", summary: "2239634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2239634", }, { category: "external", summary: "2246065", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246065", }, { category: "external", summary: "ENTMQCL-1291", url: "https://issues.redhat.com/browse/ENTMQCL-1291", }, { category: "external", summary: "ENTMQCL-1517", url: "https://issues.redhat.com/browse/ENTMQCL-1517", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7697.json", }, ], title: "Red Hat Security Advisory: AMQ Clients 2023.Q4", tracking: { current_release_date: "2025-03-16T06:49:32+00:00", generator: { date: "2025-03-16T06:49:32+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:7697", initial_release_date: "2023-12-07T13:41:55+00:00", revision_history: [ { date: "2023-12-07T13:41:55+00:00", number: "1", summary: "Initial version", }, { date: "2023-12-07T13:41:55+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T06:49:32+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "AMQ Clients", product: { name: "AMQ Clients", product_id: "AMQ Clients", product_identification_helper: { cpe: "cpe:/a:redhat:amq_clients:2023_q4", }, }, }, ], category: "product_family", name: "Red Hat AMQ Clients", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-1471", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2150009", }, ], notes: [ { category: "description", text: "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).", title: "Vulnerability description", }, { category: "summary", text: "SnakeYaml: Constructor Deserialization Remote Code Execution", title: "Vulnerability summary", }, { category: "other", text: "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-1471", }, { category: "external", summary: "RHBZ#2150009", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2150009", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-1471", url: "https://www.cve.org/CVERecord?id=CVE-2022-1471", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-1471", }, { category: "external", summary: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", url: "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "SnakeYaml: Constructor Deserialization Remote Code Execution", }, { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-34050", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2023-10-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2246065", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework AMQP. An allowed list exists in Spring AMQP, but when no allowed list is provided, all classes could be deserialized, allowing a malicious user to send harmful content to the broker.", title: "Vulnerability description", }, { category: "summary", text: "springframework-amqp: Deserialization Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "This flaw requires previous knowledge and access to the messages in order to get them deserialized and possibly leak information. It also requires missing server side configurations to prevent unwanted behavior. Therefore, this is rated as a Moderate impact.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-34050", }, { category: "external", summary: "RHBZ#2246065", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246065", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-34050", url: "https://www.cve.org/CVERecord?id=CVE-2023-34050", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-34050", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-34050", }, { category: "external", summary: "https://spring.io/security/cve-2023-34050", url: "https://spring.io/security/cve-2023-34050", }, ], release_date: "2023-10-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "workaround", details: "An application may be vulnerable if:\n- The SimpleMessageConverter or SerializerMessageConverter is used \n- The user does not configure allowed list patterns \n- Untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content\n\nMake sure these are avoided in order to mitigate the issue.", product_ids: [ "AMQ Clients", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework-amqp: Deserialization Vulnerability", }, { cve: "CVE-2023-34462", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-06-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2216888", }, ], notes: [ { category: "description", text: "A flaw was found in Netty's SniHandler while navigating TLS handshake which may permit a large heap allocation if the handler did not have a timeout configured. This issue may allow an attacker to send a client hello packet which would cause the server to buffer large amounts of data per connection, potentially causing an out of memory error, resulting in Denial of Service.", title: "Vulnerability description", }, { category: "summary", text: "netty: SniHandler 16MB allocation leads to OOM", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-34462", }, { category: "external", summary: "RHBZ#2216888", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2216888", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-34462", url: "https://www.cve.org/CVERecord?id=CVE-2023-34462", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-34462", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-34462", }, ], release_date: "2023-06-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, { category: "workaround", details: "Configuration of SniHandler with an idle timeout will mitigate this issue.", product_ids: [ "AMQ Clients", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: SniHandler 16MB allocation leads to OOM", }, { cve: "CVE-2023-40167", cwe: { id: "CWE-130", name: "Improper Handling of Length Parameter Inconsistency", }, discovery_date: "2023-09-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2239634", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty that permits a plus sign (+) preceding the content-length value in a HTTP/1 header field, which is non-standard and more permissive than RFC. This issue could allow an attacker to request smuggling in conjunction with a server that does not close connections after 400 responses.", title: "Vulnerability description", }, { category: "summary", text: "jetty: Improper validation of HTTP/1 content-length", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "AMQ Clients", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-40167", }, { category: "external", summary: "RHBZ#2239634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2239634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-40167", url: "https://www.cve.org/CVERecord?id=CVE-2023-40167", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", }, { category: "external", summary: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6", url: "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6", }, { category: "external", summary: "https://www.rfc-editor.org/rfc/rfc9110#section-8.6", url: "https://www.rfc-editor.org/rfc/rfc9110#section-8.6", }, ], release_date: "2023-09-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-12-07T13:41:55+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "AMQ Clients", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:7697", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, products: [ "AMQ Clients", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jetty: Improper validation of HTTP/1 content-length", }, ], }
RHSA-2024:3527
Vulnerability from csaf_redhat
Published
2024-05-30 20:24
Modified
2025-03-15 04:02
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
* guava: insecure temporary directory creation (CVE-2023-2976)
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)\n* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)\n* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)\n* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)\n* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n* guava: insecure temporary directory creation (CVE-2023-2976)\n* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)\n* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:3527", url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "ENTMQST-5619", url: "https://issues.redhat.com/browse/ENTMQST-5619", }, { category: "external", summary: "ENTMQST-5881", url: "https://issues.redhat.com/browse/ENTMQST-5881", }, { category: "external", summary: "ENTMQST-5882", url: "https://issues.redhat.com/browse/ENTMQST-5882", }, { category: "external", summary: "ENTMQST-5883", url: "https://issues.redhat.com/browse/ENTMQST-5883", }, { category: "external", summary: "ENTMQST-5884", url: "https://issues.redhat.com/browse/ENTMQST-5884", }, { category: "external", summary: "ENTMQST-5885", url: "https://issues.redhat.com/browse/ENTMQST-5885", }, { category: "external", summary: "ENTMQST-5886", url: "https://issues.redhat.com/browse/ENTMQST-5886", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3527.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update", tracking: { current_release_date: "2025-03-15T04:02:14+00:00", generator: { date: "2025-03-15T04:02:14+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:3527", initial_release_date: "2024-05-30T20:24:46+00:00", revision_history: [ { date: "2024-05-30T20:24:46+00:00", number: "1", summary: "Initial version", }, { date: "2024-06-25T17:26:45+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T04:02:14+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.7.0", product: { name: "Red Hat AMQ Streams 2.7.0", product_id: "Red Hat AMQ Streams 2.7.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-3520", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2021-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1954559", }, ], notes: [ { category: "description", text: "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", title: "Vulnerability description", }, { category: "summary", text: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", title: "Vulnerability summary", }, { category: "other", text: "This flaw is out of support scope for Red Hat Enterprise Linux 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3520", }, { category: "external", summary: "RHBZ#1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3520", url: "https://www.cve.org/CVERecord?id=CVE-2021-3520", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", }, ], release_date: "2021-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", }, { cve: "CVE-2021-24032", cwe: { id: "CWE-281", name: "Improper Preservation of Permissions", }, discovery_date: "2021-02-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1928090", }, ], notes: [ { category: "description", text: "A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).", title: "Vulnerability description", }, { category: "summary", text: "zstd: Race condition allows attacker to access world-readable destination file", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.\n\nThis vulnerability can be considered low severity rather than moderate due to the fact that the elevated file permissions are only temporary and only exist during the compression or decompression process. Once the operation completes, the file permissions revert to their intended state, mirroring those of the input file. The risk is further minimized by the fact that the exposure window is brief, and the elevated permissions are not persistent. Additionally, the issue only arises during the processing of files, and only those with larger sizes or more involved operations would be at risk.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-24032", }, { category: "external", summary: "RHBZ#1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-24032", url: "https://www.cve.org/CVERecord?id=CVE-2021-24032", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", }, ], release_date: "2021-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "zstd: Race condition allows attacker to access world-readable destination file", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-4899", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-01-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2179864", }, ], notes: [ { category: "description", text: "A vulnerability was found in zstd. This flaw allows an attacker to supply an empty string as an argument to the command line tool to cause a buffer overrun.", title: "Vulnerability description", }, { category: "summary", text: "zstd: mysql: buffer overrun in util.c", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Moderate because a buffer overrun in Zstd can be triggered by supplying an empty string as an argument to the command-line tool. On exploitation, it could lead to application crashes or unpredictable behavior.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4899", }, { category: "external", summary: "RHBZ#2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4899", url: "https://www.cve.org/CVERecord?id=CVE-2022-4899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", }, ], release_date: "2022-07-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "zstd: mysql: buffer overrun in util.c", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, { cve: "CVE-2023-33202", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2251281", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33202", }, { category: "external", summary: "RHBZ#2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33202", url: "https://www.cve.org/CVERecord?id=CVE-2023-33202", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", }, ], release_date: "2023-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", }, { cve: "CVE-2023-43642", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241722", }, ], notes: [ { category: "description", text: "A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-43642", }, { category: "external", summary: "RHBZ#2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-43642", url: "https://www.cve.org/CVERecord?id=CVE-2023-43642", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", }, { category: "external", summary: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", url: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", }, ], release_date: "2023-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-1023", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-01-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2260840", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1023", }, { category: "external", summary: "RHBZ#2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1023", url: "https://www.cve.org/CVERecord?id=CVE-2024-1023", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/issues/5078", url: "https://github.com/eclipse-vertx/vert.x/issues/5078", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5080", url: "https://github.com/eclipse-vertx/vert.x/pull/5080", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5082", url: "https://github.com/eclipse-vertx/vert.x/pull/5082", }, ], release_date: "2024-01-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", }, { cve: "CVE-2024-1300", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2263139", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", title: "Vulnerability summary", }, { category: "other", text: "This affects only TLS servers with SNI enabled.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1300", }, { category: "external", summary: "RHBZ#2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1300", url: "https://www.cve.org/CVERecord?id=CVE-2024-1300", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", }, { category: "external", summary: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", url: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", }, ], release_date: "2024-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", }, { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2024-02-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264988", }, ], notes: [ { category: "description", text: "A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-25710", }, { category: "external", summary: "RHBZ#2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-25710", url: "https://www.cve.org/CVERecord?id=CVE-2024-25710", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2024/02/19/1", url: "http://www.openwall.com/lists/oss-security/2024/02/19/1", }, { category: "external", summary: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", url: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "No mitigation is currently available for this vulnerability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, ], }
rhsa-2023:3362
Vulnerability from csaf_redhat
Published
2023-06-07 09:23
Modified
2025-03-03 16:25
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.10.61 packages and security update
Notes
Topic
Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements.
This release includes a security update for Red Hat OpenShift Container Platform 4.10.
Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.61. See the following advisory for the container images for this release:
https://access.redhat.com/errata/RHSA-2023:3363
Security Fix(es):
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
All OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat OpenShift Container Platform release 4.10.61 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nThis release includes a security update for Red Hat OpenShift Container Platform 4.10.\n\nRed Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nThis advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.10.61. See the following advisory for the container images for this release:\n\nhttps://access.redhat.com/errata/RHSA-2023:3363\n\nSecurity Fix(es):\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAll OpenShift Container Platform 4.10 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.10/updating/updating-cluster-cli.html", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3362", url: "https://access.redhat.com/errata/RHSA-2023:3362", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/articles/11258", url: "https://access.redhat.com/articles/11258", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3362.json", }, ], title: "Red Hat Security Advisory: OpenShift Container Platform 4.10.61 packages and security update", tracking: { current_release_date: "2025-03-03T16:25:48+00:00", generator: { date: "2025-03-03T16:25:48+00:00", engine: { name: "Red Hat SDEngine", version: "4.3.1", }, }, id: "RHSA-2023:3362", initial_release_date: "2023-06-07T09:23:42+00:00", revision_history: [ { date: "2023-06-07T09:23:42+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-07T09:23:42+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-03T16:25:48+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat OpenShift Container Platform 4.10", product: { name: "Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:4.10::el7", }, }, }, { category: "product_name", name: "Red Hat OpenShift Container Platform 4.10", product: { name: "Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:4.10::el8", }, }, }, ], category: "product_family", name: "Red Hat OpenShift Enterprise", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=src", }, }, }, { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product_id: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.10.1684982411-1.el8?arch=src", }, }, }, { category: "product_version", name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product: { name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product_id: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/python-sushy@4.1.6-0.20230517173625.5490eb6.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el7?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=aarch64", }, }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=ppc64le", }, }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, { category: "product_version", name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debugsource@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, { category: "product_version", name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_id: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", product_identification_helper: { purl: "pkg:rpm/redhat/cri-o-debuginfo@1.23.5-15.rhaos4.10.git0bbb0d9.el8?arch=s390x", }, }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.10.1684982411-1.el8?arch=noarch", }, }, }, { category: "product_version", name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product: { name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_id: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-sushy@4.1.6-0.20230517173625.5490eb6.el8?arch=noarch", }, }, }, { category: "product_version", name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product: { name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_id: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/python3-sushy-tests@4.1.6-0.20230517173625.5490eb6.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", relates_to_product_reference: "7Server-RH7-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64 as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", }, product_reference: "cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.10.1684982411-1.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", }, product_reference: "python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", }, product_reference: "python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, { category: "default_component_of", full_product_name: { name: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch as a component of Red Hat OpenShift Container Platform 4.10", product_id: "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", }, product_reference: "python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", relates_to_product_reference: "8Base-RHOSE-4.10", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", ], known_not_affected: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-07T09:23:42+00:00", details: "For OpenShift Container Platform 4.10 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.10/release_notes/ocp-4-10-release-notes.html", product_ids: [ "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3362", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.src", "7Server-RH7-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "7Server-RH7-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el7.x86_64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.src", "8Base-RHOSE-4.10:cri-o-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debuginfo-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.aarch64", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.ppc64le", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.s390x", "8Base-RHOSE-4.10:cri-o-debugsource-0:1.23.5-15.rhaos4.10.git0bbb0d9.el8.x86_64", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.noarch", "8Base-RHOSE-4.10:jenkins-2-plugins-0:4.10.1684982411-1.el8.src", "8Base-RHOSE-4.10:python-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.src", "8Base-RHOSE-4.10:python3-sushy-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", "8Base-RHOSE-4.10:python3-sushy-tests-0:4.1.6-0.20230517173625.5490eb6.el8.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
rhsa-2023_3641
Vulnerability from csaf_redhat
Published
2023-06-15 15:23
Modified
2024-12-16 16:23
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release
Notes
Topic
Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)\n\n* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3641", url: "https://access.redhat.com/errata/RHSA-2023:3641", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3641.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release", tracking: { current_release_date: "2024-12-16T16:23:30+00:00", generator: { date: "2024-12-16T16:23:30+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3641", initial_release_date: "2023-06-15T15:23:47+00:00", revision_history: [ { date: "2023-06-15T15:23:47+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T15:23:47+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-16T16:23:30+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.18.3.P2", product: { name: "RHINT Camel-Springboot 3.18.3.P2", product_id: "RHINT Camel-Springboot 3.18.3.P2", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.18", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-38750", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129707", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38750", }, { category: "external", summary: "RHBZ#2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38750", url: "https://www.cve.org/CVERecord?id=CVE-2022-38750", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", }, { cve: "CVE-2022-38751", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129709", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38751", }, { category: "external", summary: "RHBZ#2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38751", url: "https://www.cve.org/CVERecord?id=CVE-2022-38751", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", }, { cve: "CVE-2022-38752", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129710", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38752", }, { category: "external", summary: "RHBZ#2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38752", url: "https://www.cve.org/CVERecord?id=CVE-2022-38752", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", }, { cve: "CVE-2022-40152", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134291", }, ], notes: [ { category: "description", text: "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", title: "Vulnerability description", }, { category: "summary", text: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40152", }, { category: "external", summary: "RHBZ#2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40152", url: "https://www.cve.org/CVERecord?id=CVE-2022-40152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", }, { category: "external", summary: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", url: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40156", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134288", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40156", }, { category: "external", summary: "RHBZ#2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40156", url: "https://www.cve.org/CVERecord?id=CVE-2022-40156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-45047", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145194", }, ], notes: [ { category: "description", text: "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", title: "Vulnerability description", }, { category: "summary", text: "mina-sshd: Java unsafe deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Impact as High as there's a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it's very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45047", }, { category: "external", summary: "RHBZ#2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45047", url: "https://www.cve.org/CVERecord?id=CVE-2022-45047", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", }, { category: "external", summary: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", url: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", }, ], release_date: "2022-11-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, { category: "workaround", details: "From the maintainer:\n\nFor Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "mina-sshd: Java unsafe deserialization vulnerability", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2022-46364", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155682", }, ], notes: [ { category: "description", text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", title: "Vulnerability description", }, { category: "summary", text: "CXF: SSRF Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46364", }, { category: "external", summary: "RHBZ#2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364", url: "https://www.cve.org/CVERecord?id=CVE-2022-46364", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "CXF: SSRF Vulnerability", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20883", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-05-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2209342", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20883", }, { category: "external", summary: "RHBZ#2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20883", url: "https://www.cve.org/CVERecord?id=CVE-2023-20883", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", }, ], release_date: "2023-05-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", }, ], }
RHSA-2023:3906
Vulnerability from csaf_redhat
Published
2023-06-28 15:59
Modified
2025-03-14 23:59
Summary
Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update
Notes
Topic
Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.
Details
A security update for Camel K 1.10.1 is now available.
The purpose of this text-only errata is to inform you about the security issues fixed with this release.
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)
* codehaus-plexus: Directory Traversal (CVE-2022-4244)
* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)
* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)
* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.", title: "Topic", }, { category: "general", text: "A security update for Camel K 1.10.1 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed with this release.\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)\n\n* codehaus-plexus: Directory Traversal (CVE-2022-4244)\n\n* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3906", url: "https://access.redhat.com/errata/RHSA-2023:3906", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "2149841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841", }, { category: "external", summary: "2149843", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843", }, { category: "external", summary: "2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3906.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update", tracking: { current_release_date: "2025-03-14T23:59:20+00:00", generator: { date: "2025-03-14T23:59:20+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3906", initial_release_date: "2023-06-28T15:59:12+00:00", revision_history: [ { date: "2023-06-28T15:59:12+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-28T15:59:12+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-14T23:59:20+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-K-1.10.1", product: { name: "RHINT Camel-K-1.10.1", product_id: "RHINT Camel-K-1.10.1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_k:1", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-4244", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2149841", }, ], notes: [ { category: "description", text: "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.", title: "Vulnerability description", }, { category: "summary", text: "codehaus-plexus: Directory Traversal", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4244", }, { category: "external", summary: "RHBZ#2149841", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149841", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4244", url: "https://www.cve.org/CVERecord?id=CVE-2022-4244", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4244", }, ], release_date: "2022-12-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codehaus-plexus: Directory Traversal", }, { cve: "CVE-2022-4245", cwe: { id: "CWE-91", name: "XML Injection (aka Blind XPath Injection)", }, discovery_date: "2022-12-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2149843", }, ], notes: [ { category: "description", text: "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.", title: "Vulnerability description", }, { category: "summary", text: "codehaus-plexus: XML External Entity (XXE) Injection", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4245", }, { category: "external", summary: "RHBZ#2149843", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2149843", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4245", url: "https://www.cve.org/CVERecord?id=CVE-2022-4245", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4245", }, ], release_date: "2022-12-01T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "codehaus-plexus: XML External Entity (XXE) Injection", }, { cve: "CVE-2022-39368", cwe: { id: "CWE-459", name: "Incomplete Cleanup", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145205", }, ], notes: [ { category: "description", text: "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don't clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.", title: "Vulnerability description", }, { category: "summary", text: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-39368", }, { category: "external", summary: "RHBZ#2145205", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145205", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-39368", url: "https://www.cve.org/CVERecord?id=CVE-2022-39368", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-39368", }, { category: "external", summary: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", url: "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc", }, ], release_date: "2022-11-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "scandium: Failing DTLS handshakes may cause throttling to block processing of records", }, { cve: "CVE-2022-41946", cwe: { id: "CWE-377", name: "Insecure Temporary File", }, discovery_date: "2022-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2153399", }, ], notes: [ { category: "description", text: "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.", title: "Vulnerability description", }, { category: "summary", text: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn't make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41946", }, { category: "external", summary: "RHBZ#2153399", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2153399", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41946", url: "https://www.cve.org/CVERecord?id=CVE-2022-41946", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41946", }, ], release_date: "2022-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-K-1.10.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-28T15:59:12+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-K-1.10.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3906", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-K-1.10.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
rhsa-2023_3622
Vulnerability from csaf_redhat
Published
2023-06-15 09:03
Modified
2024-12-16 16:23
Summary
Red Hat Security Advisory: jenkins and jenkins-2-plugins security update
Notes
Topic
An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)
* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)
* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.13.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)\n\n* Jenkins plugin: CSRF vulnerability in Blue Ocean Plugin (CVE-2022-30953)\n\n* Jenkins plugin: missing permission checks in Blue Ocean Plugin (CVE-2022-30954)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)\n\n* Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)\n\n* Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3622", url: "https://access.redhat.com/errata/RHSA-2023:3622", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html", url: "https://docs.openshift.com/container-platform/4.13/cicd/jenkins/important-changes-to-openshift-jenkins-images.html", }, { category: "external", summary: "2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3622.json", }, ], title: "Red Hat Security Advisory: jenkins and jenkins-2-plugins security update", tracking: { current_release_date: "2024-12-16T16:23:20+00:00", generator: { date: "2024-12-16T16:23:20+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2023:3622", initial_release_date: "2023-06-15T09:03:50+00:00", revision_history: [ { date: "2023-06-15T09:03:50+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T09:03:50+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-16T16:23:20+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.13", product: { name: "OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.13::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686680404-3.el8.src", product: { name: "jenkins-0:2.401.1.1686680404-3.el8.src", product_id: "jenkins-0:2.401.1.1686680404-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686680404-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product_id: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.13.1686680473-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product: { name: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product_id: "jenkins-0:2.401.1.1686680404-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.401.1.1686680404-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.13.1686680473-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686680404-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", }, product_reference: "jenkins-0:2.401.1.1686680404-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.401.1.1686680404-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", }, product_reference: "jenkins-0:2.401.1.1686680404-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.13.1686680473-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, ], }, vulnerabilities: [ { cve: "CVE-2022-29599", cwe: { id: "CWE-77", name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", }, discovery_date: "2022-03-15T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2066479", }, ], notes: [ { category: "description", text: "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.", title: "Vulnerability description", }, { category: "summary", text: "maven-shared-utils: Command injection via Commandline class", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It's worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-29599", }, { category: "external", summary: "RHBZ#2066479", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2066479", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-29599", url: "https://www.cve.org/CVERecord?id=CVE-2022-29599", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-29599", }, ], release_date: "2020-05-29T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "maven-shared-utils: Command injection via Commandline class", }, { cve: "CVE-2022-30953", cwe: { id: "CWE-352", name: "Cross-Site Request Forgery (CSRF)", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119646", }, ], notes: [ { category: "description", text: "A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: CSRF vulnerability in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30953", }, { category: "external", summary: "RHBZ#2119646", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119646", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30953", url: "https://www.cve.org/CVERecord?id=CVE-2022-30953", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30953", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: CSRF vulnerability in Blue Ocean Plugin", }, { cve: "CVE-2022-30954", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2022-08-19T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2119647", }, ], notes: [ { category: "description", text: "Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.", title: "Vulnerability description", }, { category: "summary", text: "plugin: missing permission checks in Blue Ocean Plugin", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-30954", }, { category: "external", summary: "RHBZ#2119647", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2119647", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-30954", url: "https://www.cve.org/CVERecord?id=CVE-2022-30954", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-30954", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", url: "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2502", }, ], release_date: "2022-05-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "plugin: missing permission checks in Blue Ocean Plugin", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20860", cwe: { id: "CWE-155", name: "Improper Neutralization of Wildcards or Matching Symbols", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180528", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Framework. In this vulnerability, a security bypass is possible due to the behavior of the wildcard pattern.", title: "Vulnerability description", }, { category: "summary", text: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20860", }, { category: "external", summary: "RHBZ#2180528", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180528", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20860", url: "https://www.cve.org/CVERecord?id=CVE-2023-20860", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20860", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern", }, { cve: "CVE-2023-20861", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-03-21T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2180530", }, ], notes: [ { category: "description", text: "A flaw found was found in Spring Framework. This flaw allows a malicious user to use a specially crafted SpEL expression that causes a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "springframework: Spring Expression DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20861", }, { category: "external", summary: "RHBZ#2180530", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2180530", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20861", url: "https://www.cve.org/CVERecord?id=CVE-2023-20861", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", }, { category: "external", summary: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", url: "https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861", }, ], release_date: "2023-03-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "springframework: Spring Expression DoS Vulnerability", }, { cve: "CVE-2023-27903", cwe: { id: "CWE-266", name: "Incorrect Privilege Assignment", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177632", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. When triggering a build from the Jenkins CLI, Jenkins creates a temporary file on the controller if a file parameter is provided through the CLI’s standard input. Affected versions of Jenkins create this temporary file in the default temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is used in the build.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Temporary file parameter created with insecure permissions", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27903", }, { category: "external", summary: "RHBZ#2177632", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177632", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27903", url: "https://www.cve.org/CVERecord?id=CVE-2023-27903", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27903", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Temporary file parameter created with insecure permissions", }, { cve: "CVE-2023-27904", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-03-13T00:00:00+00:00", flags: [ { label: "vulnerable_code_not_present", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], ids: [ { system_name: "Red Hat Bugzilla ID", text: "2177634", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers.", title: "Vulnerability description", }, { category: "summary", text: "Jenkins: Information disclosure through error stack traces related to agents", title: "Vulnerability summary", }, { category: "other", text: "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], known_not_affected: [ "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-27904", }, { category: "external", summary: "RHBZ#2177634", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2177634", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-27904", url: "https://www.cve.org/CVERecord?id=CVE-2023-27904", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-27904", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", url: "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120", }, ], release_date: "2023-03-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T09:03:50+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3622", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.401.1.1686680404-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1686680473-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "Jenkins: Information disclosure through error stack traces related to agents", }, ], }
rhsa-2023:3193
Vulnerability from csaf_redhat
Published
2023-05-17 15:49
Modified
2025-03-03 16:24
Summary
Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 security update
Notes
Topic
Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for Camel Extensions for Quarkus 2.7.1 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.
Red Hat Product Security has rated this update as having an impact of Important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Security Fix(es):
* CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n Red Hat Product Security has rated this update as having an impact of Important.\n A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for Camel Extensions for Quarkus 2.7.1 is now available. The purpose of this text-only errata is to inform you about the security issues fixed.\n Red Hat Product Security has rated this update as having an impact of Important.\n\n A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\n Security Fix(es):\n\n * CVE-2023-1370 json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3193", url: "https://access.redhat.com/errata/RHSA-2023:3193", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/security/cve/cve-2023-1370", url: "https://access.redhat.com/security/cve/cve-2023-1370", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3193.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.7.1-1 security update", tracking: { current_release_date: "2025-03-03T16:24:42+00:00", generator: { date: "2025-03-03T16:24:42+00:00", engine: { name: "Red Hat SDEngine", version: "4.3.1", }, }, id: "RHSA-2023:3193", initial_release_date: "2023-05-17T15:49:21+00:00", revision_history: [ { date: "2023-05-17T15:49:21+00:00", number: "1", summary: "Initial version", }, { date: "2023-05-17T15:49:21+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-03T16:24:42+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "CEQ 2.7.1-1", product: { name: "CEQ 2.7.1-1", product_id: "CEQ 2.7.1-1", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:2.7", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "CEQ 2.7.1-1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-05-17T15:49:21+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "CEQ 2.7.1-1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3193", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CEQ 2.7.1-1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, ], }
rhsa-2023:3641
Vulnerability from csaf_redhat
Published
2023-06-15 15:23
Modified
2025-03-16 06:48
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release
Notes
Topic
Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.
Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)
* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)
* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)
* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)
* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)
* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Camel for Spring Boot 3.18.3 Patch 2 release and security update is now available.\n\nRed Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "This release of Camel for Spring Boot 3.18.3.P2 serves as a replacement for Camel for Spring Boot 3.18.3.P1 and includes bug fixes and enhancements, which are documented in the Release Notes linked in the References. The purpose of this text-only errata is to inform you about the security issues fixed.\n\n* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)\n\n* woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40152)\n\n* xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks (CVE-2022-40156)\n\n* dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047)\n\n* jettison: Uncontrolled Recursion in JSONArray (CVE-2023-1436)\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n\n* jackson-databind: use of deeply nested arrays (CVE-2022-42004)\n\n* jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)\n\n* snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750)\n\n* snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern.match (CVE-2022-38751)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)\n\n* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\n* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2023:3641", url: "https://access.redhat.com/errata/RHSA-2023:3641", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=red.hat.integration&version=2023-Q2", }, { category: "external", summary: "2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3641.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3 Patch 2 release", tracking: { current_release_date: "2025-03-16T06:48:55+00:00", generator: { date: "2025-03-16T06:48:55+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2023:3641", initial_release_date: "2023-06-15T15:23:47+00:00", revision_history: [ { date: "2023-06-15T15:23:47+00:00", number: "1", summary: "Initial version", }, { date: "2023-06-15T15:23:47+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-16T06:48:55+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.18.3.P2", product: { name: "RHINT Camel-Springboot 3.18.3.P2", product_id: "RHINT Camel-Springboot 3.18.3.P2", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.18", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2022-25857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2022-09-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2126789", }, ], notes: [ { category: "description", text: "A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", title: "Vulnerability summary", }, { category: "other", text: "For RHEL-8 it's downgraded to moderate because \"snakeyaml\" itself in RHEL 8 or RHEL-9 isn't shipped and \"prometheus-jmx-exporter\" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate.\nRed Hat Integration and AMQ products are not vulnerable to this flaw, so their severity has been lowered to moderate.\nRed Hat Single Sign-On uses snakeyaml from liquibase-core and is only used when performing migrations and would require administrator privileges to execute, hence severity marked as Low.\nRed Hat Fuse 7 is now in Maintenance Support Phase and details about its fix should be present soon. However, Red Hat Fuse Online (Syndesis) does will not contain the fix for this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-25857", }, { category: "external", summary: "RHBZ#2126789", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2126789", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-25857", url: "https://www.cve.org/CVERecord?id=CVE-2022-25857", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-25857", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/525", }, ], release_date: "2022-08-30T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Denial of Service due to missing nested depth limitation for collections", }, { cve: "CVE-2022-38749", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129706", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38749", }, { category: "external", summary: "RHBZ#2129706", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129706", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38749", url: "https://www.cve.org/CVERecord?id=CVE-2022-38749", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38749", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode", }, { cve: "CVE-2022-38750", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129707", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38750", }, { category: "external", summary: "RHBZ#2129707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38750", url: "https://www.cve.org/CVERecord?id=CVE-2022-38750", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38750", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject", }, { cve: "CVE-2022-38751", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129709", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.\n\nSatellite component Candlepin does not directly use snakeyaml, so it is not affected. Regardless, an update with the latest, unaffected snakeyaml version will be provided at next release.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38751", }, { category: "external", summary: "RHBZ#2129709", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129709", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38751", url: "https://www.cve.org/CVERecord?id=CVE-2022-38751", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38751", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match", }, { cve: "CVE-2022-38752", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2129710", }, ], notes: [ { category: "description", text: "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.", title: "Vulnerability description", }, { category: "summary", text: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-38752", }, { category: "external", summary: "RHBZ#2129710", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2129710", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-38752", url: "https://www.cve.org/CVERecord?id=CVE-2022-38752", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-38752", }, ], release_date: "2022-09-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode", }, { cve: "CVE-2022-40152", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134291", }, ], notes: [ { category: "description", text: "A flaw was found in the FasterXML/woodstox package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization. An attacker may benefit from the parser sending a malicious input that may cause a crash. This vulnerability is only relevant for users using the DTD parsing functionality.", title: "Vulnerability description", }, { category: "summary", text: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40152", }, { category: "external", summary: "RHBZ#2134291", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134291", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40152", url: "https://www.cve.org/CVERecord?id=CVE-2022-40152", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40152", }, { category: "external", summary: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", url: "https://github.com/advisories/GHSA-3f7h-mf4q-vrm4", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "woodstox-core: woodstox to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-40156", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-10-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2134288", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream package. This flaw allows an attacker to cause a denial of service (DoS) in its target via XML serialization.", title: "Vulnerability description", }, { category: "summary", text: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-40156", }, { category: "external", summary: "RHBZ#2134288", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2134288", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-40156", url: "https://www.cve.org/CVERecord?id=CVE-2022-40156", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-40156", }, ], release_date: "2022-09-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "xstream: Xstream to serialise XML data was vulnerable to Denial of Service attacks", }, { cve: "CVE-2022-41854", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-12-08T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2151988", }, ], notes: [ { category: "description", text: "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "dev-java/snakeyaml: DoS via stack overflow", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-41854", }, { category: "external", summary: "RHBZ#2151988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2151988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-41854", url: "https://www.cve.org/CVERecord?id=CVE-2022-41854", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41854", }, { category: "external", summary: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", url: "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355", }, { category: "external", summary: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", url: "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355", }, ], release_date: "2022-11-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dev-java/snakeyaml: DoS via stack overflow", }, { cve: "CVE-2022-42003", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135244", }, ], notes: [ { category: "description", text: "A flaw was found in FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled due to unchecked primitive value deserializers to avoid deep wrapper array nesting.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42003", }, { category: "external", summary: "RHBZ#2135244", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135244", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42003", url: "https://www.cve.org/CVERecord?id=CVE-2022-42003", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42003", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS", }, { cve: "CVE-2022-42004", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-10-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135247", }, ], notes: [ { category: "description", text: "A flaw was found In FasterXML jackson-databind. This issue could allow an attacker to benefit from resource exhaustion due to the lack of a check in BeanDeserializer._deserializeFromArray to prevent the use of deeply nested arrays. An application is only vulnerable with certain customized choices for deserialization.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: use of deeply nested arrays", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42004", }, { category: "external", summary: "RHBZ#2135247", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135247", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42004", url: "https://www.cve.org/CVERecord?id=CVE-2022-42004", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42004", }, ], release_date: "2022-10-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: use of deeply nested arrays", }, { cve: "CVE-2022-45047", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2022-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2145194", }, ], notes: [ { category: "description", text: "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.", title: "Vulnerability description", }, { category: "summary", text: "mina-sshd: Java unsafe deserialization vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Impact as High as there's a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \n\nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it's very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-45047", }, { category: "external", summary: "RHBZ#2145194", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2145194", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-45047", url: "https://www.cve.org/CVERecord?id=CVE-2022-45047", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-45047", }, { category: "external", summary: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", url: "https://www.mail-archive.com/dev@mina.apache.org/msg39312.html", }, ], release_date: "2022-11-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, { category: "workaround", details: "From the maintainer:\n\nFor Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "mina-sshd: Java unsafe deserialization vulnerability", }, { cve: "CVE-2022-46363", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155681", }, ], notes: [ { category: "description", text: "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.", title: "Vulnerability description", }, { category: "summary", text: "CXF: directory listing / code exfiltration", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46363", }, { category: "external", summary: "RHBZ#2155681", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155681", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46363", url: "https://www.cve.org/CVERecord?id=CVE-2022-46363", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46363", }, { category: "external", summary: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", url: "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "CXF: directory listing / code exfiltration", }, { cve: "CVE-2022-46364", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, discovery_date: "2022-12-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2155682", }, ], notes: [ { category: "description", text: "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.", title: "Vulnerability description", }, { category: "summary", text: "CXF: SSRF Vulnerability", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-46364", }, { category: "external", summary: "RHBZ#2155682", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2155682", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-46364", url: "https://www.cve.org/CVERecord?id=CVE-2022-46364", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-46364", }, { category: "external", summary: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", url: "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2", }, ], release_date: "2022-12-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "CXF: SSRF Vulnerability", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-03-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2182788", }, ], notes: [ { category: "description", text: "A flaw was found in Jettison. Infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This issue leads to a StackOverflowError exception being thrown.", title: "Vulnerability description", }, { category: "summary", text: "jettison: Uncontrolled Recursion in JSONArray", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1436", }, { category: "external", summary: "RHBZ#2182788", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2182788", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1436", url: "https://www.cve.org/CVERecord?id=CVE-2023-1436", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", url: "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jettison: Uncontrolled Recursion in JSONArray", }, { cve: "CVE-2023-20883", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-05-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2209342", }, ], notes: [ { category: "description", text: "A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed behind a proxy that caches 404 responses. This issue may cause a denial of service (DoS) attack.", title: "Vulnerability description", }, { category: "summary", text: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-20883", }, { category: "external", summary: "RHBZ#2209342", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2209342", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-20883", url: "https://www.cve.org/CVERecord?id=CVE-2023-20883", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-20883", }, ], release_date: "2023-05-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2023-06-15T15:23:47+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.18.3.P2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2023:3641", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.18.3.P2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "spring-boot: Spring Boot Welcome Page DoS Vulnerability", }, ], }
wid-sec-w-2024-0257
Vulnerability from csaf_certbund
Published
2024-01-30 23:00
Modified
2024-02-01 23:00
Summary
IBM QRadar SIEM User Behavior Analytics: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.
Angriff
Ein anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0257 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0257.json", }, { category: "self", summary: "WID-SEC-2024-0257 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0257", }, { category: "external", summary: "IBM Security Bulletin vom 2024-01-30", url: "https://www.ibm.com/support/pages/node/7112498", }, ], source_lang: "en-US", title: "IBM QRadar SIEM User Behavior Analytics: Mehrere Schwachstellen", tracking: { current_release_date: "2024-02-01T23:00:00.000+00:00", generator: { date: "2024-08-15T18:04:41.191+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0257", initial_release_date: "2024-01-30T23:00:00.000+00:00", revision_history: [ { date: "2024-01-30T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-02-01T23:00:00.000+00:00", number: "2", summary: "Produkt angepasst", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM QRadar SIEM User Behavior Analytics < 4.1.14", product: { name: "IBM QRadar SIEM User Behavior Analytics < 4.1.14", product_id: "T032482", product_identification_helper: { cpe: "cpe:/a:ibm:qradar_siem:user_behavior_analytics__4.1.14", }, }, }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2023-31484", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2023-31484", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2021-4048", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-4048", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-23445", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-23445", }, ], }
wid-sec-w-2023-2700
Vulnerability from csaf_certbund
Published
2023-10-17 22:00
Modified
2023-12-12 23:00
Summary
Atlassian Confluence: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Confluence ist eine kommerzielle Wiki-Software.
Jira ist eine Webanwendung zur Softwareentwicklung.
Bitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.
Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "kritisch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Confluence ist eine kommerzielle Wiki-Software.\r\nJira ist eine Webanwendung zur Softwareentwicklung.\r\nBitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.\r\nBamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2700 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2700.json", }, { category: "self", summary: "WID-SEC-2023-2700 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2700", }, { category: "external", summary: "Atlassian Security Update vom 2023-10-17", url: "https://confluence.atlassian.com/security/security-bulletin-october-17-2023-1299929380.html", }, { category: "external", summary: "Atlassian Security Bulletin December 12 2023 vom 2023-12-12", url: "https://confluence.atlassian.com/security/security-bulletin-december-12-2023-1319249520.html", }, ], source_lang: "en-US", title: "Atlassian Confluence: Mehrere Schwachstellen", tracking: { current_release_date: "2023-12-12T23:00:00.000+00:00", generator: { date: "2024-08-15T18:00:13.228+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2700", initial_release_date: "2023-10-17T22:00:00.000+00:00", revision_history: [ { date: "2023-10-17T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-12-12T23:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Atlassian Bamboo < 9.2.7", product: { name: "Atlassian Bamboo < 9.2.7", product_id: "1529586", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.7", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.2.5 Data Center and Server", product: { name: "Atlassian Bamboo < 9.2.5 Data Center and Server", product_id: "T030667", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.5_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.1 Data Center and Server", product: { name: "Atlassian Bamboo < 9.3.1 Data Center and Server", product_id: "T030668", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.1_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.3 Data Center and Server", product: { name: "Atlassian Bamboo < 9.3.3 Data Center and Server", product_id: "T030669", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.3_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.5", product: { name: "Atlassian Bamboo < 9.3.5", product_id: "T031324", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.5", }, }, }, ], category: "product_name", name: "Bamboo", }, { branches: [ { category: "product_name", name: "Atlassian Bitbucket < 8.13.1 Data Center and Server", product: { name: "Atlassian Bitbucket < 8.13.1 Data Center and Server", product_id: "T030666", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.13.1_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 7.21.18", product: { name: "Atlassian Bitbucket < 7.21.18", product_id: "T031325", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:7.21.18", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.9.7", product: { name: "Atlassian Bitbucket < 8.9.7", product_id: "T031614", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.9.7", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.11.6", product: { name: "Atlassian Bitbucket < 8.11.6", product_id: "T031615", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.11.6", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.12.4", product: { name: "Atlassian Bitbucket < 8.12.4", product_id: "T031616", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.12.4", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.13.3", product: { name: "Atlassian Bitbucket < 8.13.3", product_id: "T031617", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.13.3", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.14.2", product: { name: "Atlassian Bitbucket < 8.14.2", product_id: "T031618", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.14.2", }, }, }, ], category: "product_name", name: "Bitbucket", }, { branches: [ { category: "product_name", name: "Atlassian Confluence < 8.3.3 Server and Data Center", product: { name: "Atlassian Confluence < 8.3.3 Server and Data Center", product_id: "T030660", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.3.3_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.5.2 Server and Data Center", product: { name: "Atlassian Confluence < 8.5.2 Server and Data Center", product_id: "T030662", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.5.2_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.4.3 Server and Data Center", product: { name: "Atlassian Confluence < 8.4.3 Server and Data Center", product_id: "T030663", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.4.3_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.3.4", product: { name: "Atlassian Confluence < 8.3.4", product_id: "T030846", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.3.4", }, }, }, { category: "product_name", name: "Atlassian Confluence < 7.19.17", product: { name: "Atlassian Confluence < 7.19.17", product_id: "T031609", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:7.19.17", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.4.5", product: { name: "Atlassian Confluence < 8.4.5", product_id: "T031610", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.4.5", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.5.4", product: { name: "Atlassian Confluence < 8.5.4", product_id: "T031611", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.5.4", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.6.2", product: { name: "Atlassian Confluence < 8.6.2", product_id: "T031612", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.6.2", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.7.1", product: { name: "Atlassian Confluence < 8.7.1", product_id: "T031613", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.7.1", }, }, }, ], category: "product_name", name: "Confluence", }, { branches: [ { category: "product_name", name: "Atlassian Jira Software < 4.20.27 Service Management Data Center and Server", product: { name: "Atlassian Jira Software < 4.20.27 Service Management Data Center and Server", product_id: "T030664", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:4.20.27_service_management_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Jira Software < 5.4.11 Service Management Data Center and Server", product: { name: "Atlassian Jira Software < 5.4.11 Service Management Data Center and Server", product_id: "T030665", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:5.4.11_service_management_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Jira Software < 9.4.13", product: { name: "Atlassian Jira Software < 9.4.13", product_id: "T031606", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:9.4.13", }, }, }, { category: "product_name", name: "Atlassian Jira Software Service Management < 4.20.28", product: { name: "Atlassian Jira Software Service Management < 4.20.28", product_id: "T031607", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:service_management__4.20.28", }, }, }, { category: "product_name", name: "Atlassian Jira Software Service Management < 5.4.12", product: { name: "Atlassian Jira Software Service Management < 5.4.12", product_id: "T031608", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:service_management__5.4.12", }, }, }, ], category: "product_name", name: "Jira Software", }, ], category: "vendor", name: "Atlassian", }, ], }, vulnerabilities: [ { cve: "CVE-2023-28709", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-28709", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-22515", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22515", }, { cve: "CVE-2023-22514", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22514", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45685", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45685", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41906", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-41906", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-3509", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3509", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-25647", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-25647", }, { cve: "CVE-2021-46877", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-46877", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-22569", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-22569", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-13936", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2020-13936", }, { cve: "CVE-2019-13990", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2019-13990", }, ], }
WID-SEC-W-2023-1350
Vulnerability from csaf_certbund
Published
2023-06-01 22:00
Modified
2024-02-15 23:00
Summary
Splunk Splunk Enterprise: Mehrere Schwachstellen in Komponenten von Drittanbietern
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Splunk Enterprise ermöglicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Splunk Splunk Enterprise in diversen Komponenten von Drittanbietern ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Splunk Enterprise ermöglicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in Splunk Splunk Enterprise in diversen Komponenten von Drittanbietern ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows\n- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1350 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1350.json", }, { category: "self", summary: "WID-SEC-2023-1350 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1350", }, { category: "external", summary: "Splunk Enterprise Security Advisory SVD-2023-0613 vom 2023-06-01", url: "https://advisory.splunk.com/advisories/SVD-2023-0613", }, { category: "external", summary: "IBM Security Bulletin 7008449 vom 2023-06-29", url: "https://www.ibm.com/support/pages/node/7008449", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:0196-1 vom 2024-01-23", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017743.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:0487-1 vom 2024-02-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-February/017931.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:0486-1 vom 2024-02-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-February/017932.html", }, ], source_lang: "en-US", title: "Splunk Splunk Enterprise: Mehrere Schwachstellen in Komponenten von Drittanbietern", tracking: { current_release_date: "2024-02-15T23:00:00.000+00:00", generator: { date: "2024-08-15T17:51:43.161+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1350", initial_release_date: "2023-06-01T22:00:00.000+00:00", revision_history: [ { date: "2023-06-01T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-06-29T22:00:00.000+00:00", number: "2", summary: "Neue Updates von IBM aufgenommen", }, { date: "2024-01-23T23:00:00.000+00:00", number: "3", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-02-15T23:00:00.000+00:00", number: "4", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "4", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM DB2", product: { name: "IBM DB2", product_id: "5104", product_identification_helper: { cpe: "cpe:/a:ibm:db2:-", }, }, }, ], category: "vendor", name: "IBM", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { branches: [ { category: "product_version_range", name: "< 8.1.14", product: { name: "Splunk Splunk Enterprise < 8.1.14", product_id: "T027935", }, }, { category: "product_version_range", name: "< 8.2.11", product: { name: "Splunk Splunk Enterprise < 8.2.11", product_id: "T027936", }, }, { category: "product_version_range", name: "< 9.0.5", product: { name: "Splunk Splunk Enterprise < 9.0.5", product_id: "T027937", }, }, ], category: "product_name", name: "Splunk Enterprise", }, ], category: "vendor", name: "Splunk", }, ], }, vulnerabilities: [ { cve: "CVE-2023-27538", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27538", }, { cve: "CVE-2023-27537", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27537", }, { cve: "CVE-2023-27536", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27536", }, { cve: "CVE-2023-27535", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27535", }, { cve: "CVE-2023-27534", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27534", }, { cve: "CVE-2023-27533", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27533", }, { cve: "CVE-2023-23916", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-23916", }, { cve: "CVE-2023-23915", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-23915", }, { cve: "CVE-2023-23914", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-23914", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-0286", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-0286", }, { cve: "CVE-2023-0215", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-0215", }, { cve: "CVE-2022-46175", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-46175", }, { cve: "CVE-2022-43680", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-43680", }, { cve: "CVE-2022-43552", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-43552", }, { cve: "CVE-2022-43551", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-43551", }, { cve: "CVE-2022-4304", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-4304", }, { cve: "CVE-2022-42916", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-42916", }, { cve: "CVE-2022-42915", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-42915", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-4200", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-4200", }, { cve: "CVE-2022-41720", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-41720", }, { cve: "CVE-2022-41716", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-41716", }, { cve: "CVE-2022-41715", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-41715", }, { cve: "CVE-2022-40304", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-40304", }, { cve: "CVE-2022-40303", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-40303", }, { cve: "CVE-2022-40023", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-40023", }, { cve: "CVE-2022-38900", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-38900", }, { cve: "CVE-2022-37616", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37616", }, { cve: "CVE-2022-37603", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37603", }, { cve: "CVE-2022-37601", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37601", }, { cve: "CVE-2022-37599", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37599", }, { cve: "CVE-2022-37434", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37434", }, { cve: "CVE-2022-36227", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-36227", }, { cve: "CVE-2022-35737", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-35737", }, { cve: "CVE-2022-35260", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-35260", }, { cve: "CVE-2022-35252", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-35252", }, { cve: "CVE-2022-3517", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-3517", }, { cve: "CVE-2022-33987", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-33987", }, { cve: "CVE-2022-32221", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32221", }, { cve: "CVE-2022-32208", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32208", }, { cve: "CVE-2022-32207", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32207", }, { cve: "CVE-2022-32206", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32206", }, { cve: "CVE-2022-32205", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32205", }, { cve: "CVE-2022-32189", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32189", }, { cve: "CVE-2022-32148", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32148", }, { cve: "CVE-2022-31129", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-31129", }, { cve: "CVE-2022-30635", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30635", }, { cve: "CVE-2022-30634", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30634", }, { cve: "CVE-2022-30633", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30633", }, { cve: "CVE-2022-30632", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30632", }, { cve: "CVE-2022-30631", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30631", }, { cve: "CVE-2022-30630", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30630", }, { cve: "CVE-2022-30629", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30629", }, { cve: "CVE-2022-30580", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30580", }, { cve: "CVE-2022-30115", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30115", }, { cve: "CVE-2022-29804", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-29804", }, { cve: "CVE-2022-29526", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-29526", }, { cve: "CVE-2022-2880", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-2880", }, { cve: "CVE-2022-2879", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-2879", }, { cve: "CVE-2022-28327", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-28327", }, { cve: "CVE-2022-28131", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-28131", }, { cve: "CVE-2022-27782", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27782", }, { cve: "CVE-2022-27781", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27781", }, { cve: "CVE-2022-27780", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27780", }, { cve: "CVE-2022-27779", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27779", }, { cve: "CVE-2022-27778", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27778", }, { cve: "CVE-2022-27776", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27776", }, { cve: "CVE-2022-27775", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27775", }, { cve: "CVE-2022-27774", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27774", }, { cve: "CVE-2022-27664", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27664", }, { cve: "CVE-2022-27191", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27191", }, { cve: "CVE-2022-25858", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-25858", }, { cve: "CVE-2022-24999", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-24999", }, { cve: "CVE-2022-24921", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-24921", }, { cve: "CVE-2022-24675", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-24675", }, { cve: "CVE-2022-23806", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-23806", }, { cve: "CVE-2022-23773", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-23773", }, { cve: "CVE-2022-23772", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-23772", }, { cve: "CVE-2022-23491", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-23491", }, { cve: "CVE-2022-22576", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-22576", }, { cve: "CVE-2022-1962", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-1962", }, { cve: "CVE-2022-1705", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-1705", }, { cve: "CVE-2021-43565", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-43565", }, { cve: "CVE-2021-3803", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-3803", }, { cve: "CVE-2021-36976", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-36976", }, { cve: "CVE-2021-3520", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-3520", }, { cve: "CVE-2021-33587", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-33587", }, { cve: "CVE-2021-33503", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-33503", }, { cve: "CVE-2021-33502", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-33502", }, { cve: "CVE-2021-31566", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-31566", }, { cve: "CVE-2021-29060", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-29060", }, { cve: "CVE-2021-27292", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-27292", }, { cve: "CVE-2021-23382", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-23382", }, { cve: "CVE-2021-23368", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-23368", }, { cve: "CVE-2021-23343", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-23343", }, { cve: "CVE-2021-22947", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22947", }, { cve: "CVE-2021-22946", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22946", }, { cve: "CVE-2021-22945", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22945", }, { cve: "CVE-2021-22926", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22926", }, { cve: "CVE-2021-22925", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22925", }, { cve: "CVE-2021-22924", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22924", }, { cve: "CVE-2021-22923", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22923", }, { cve: "CVE-2021-22922", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22922", }, { cve: "CVE-2021-22901", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22901", }, { cve: "CVE-2021-22898", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22898", }, { cve: "CVE-2021-22897", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22897", }, { cve: "CVE-2021-22890", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22890", }, { cve: "CVE-2021-22876", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22876", }, { cve: "CVE-2021-20095", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-20095", }, { cve: "CVE-2020-8286", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8286", }, { cve: "CVE-2020-8285", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8285", }, { cve: "CVE-2020-8284", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8284", }, { cve: "CVE-2020-8231", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8231", }, { cve: "CVE-2020-8203", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8203", }, { cve: "CVE-2020-8177", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8177", }, { cve: "CVE-2020-8169", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8169", }, { cve: "CVE-2020-8116", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8116", }, { cve: "CVE-2020-7774", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-7774", }, { cve: "CVE-2020-7753", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-7753", }, { cve: "CVE-2020-7662", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-7662", }, { cve: "CVE-2020-28469", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-28469", }, { cve: "CVE-2020-15138", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-15138", }, { cve: "CVE-2020-13822", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-13822", }, { cve: "CVE-2019-20149", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2019-20149", }, { cve: "CVE-2019-10746", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2019-10746", }, { cve: "CVE-2019-10744", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2019-10744", }, { cve: "CVE-2018-25032", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2018-25032", }, { cve: "CVE-2017-16042", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2017-16042", }, ], }
wid-sec-w-2023-1808
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1808 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1808.json", }, { category: "self", summary: "WID-SEC-2023-1808 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1808", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Financial Services Applications vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixIFLX", }, ], source_lang: "en-US", title: "Oracle Financial Services Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:51.752+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1808", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Financial Services Applications 8.1.0", product: { name: "Oracle Financial Services Applications 8.1.0", product_id: "T018983", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.3", product: { name: "Oracle Financial Services Applications <= 14.3", product_id: "T019887", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.1", product: { name: "Oracle Financial Services Applications 8.1.1", product_id: "T019891", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.7", product: { name: "Oracle Financial Services Applications 8.0.7", product_id: "T021676", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8", product: { name: "Oracle Financial Services Applications 8.0.8", product_id: "T021677", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.1.1", product: { name: "Oracle Financial Services Applications 8.1.1.1", product_id: "T022835", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8.1", product: { name: "Oracle Financial Services Applications 8.0.8.1", product_id: "T022844", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8.2", product: { name: "Oracle Financial Services Applications 8.0.8.2", product_id: "T024990", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.7", product: { name: "Oracle Financial Services Applications <= 14.7", product_id: "T027348", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.4", product: { name: "Oracle Financial Services Applications 8.1.2.4", product_id: "T027351", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.4", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.6", product: { name: "Oracle Financial Services Applications 14.6", product_id: "T027355", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.6", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 18.2.0.0.0", product: { name: "Oracle Financial Services Applications 18.2.0.0.0", product_id: "T028691", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:18.2.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 18.3.0.0.0", product: { name: "Oracle Financial Services Applications 18.3.0.0.0", product_id: "T028692", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:18.3.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.1.0.0.0", product: { name: "Oracle Financial Services Applications 19.1.0.0.0", product_id: "T028693", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.1.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.2.0.0.0", product: { name: "Oracle Financial Services Applications 19.2.0.0.0", product_id: "T028694", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.2.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 21.1.0.0.0", product: { name: "Oracle Financial Services Applications 21.1.0.0.0", product_id: "T028695", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:21.1.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.1.0.0.0", product: { name: "Oracle Financial Services Applications 22.1.0.0.0", product_id: "T028696", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.1.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.2.0.0.0", product: { name: "Oracle Financial Services Applications 22.2.0.0.0", product_id: "T028697", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.2.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0.2.0", product: { name: "Oracle Financial Services Applications 14.7.0.2.0", product_id: "T028698", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.2.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.1.0.0", product: { name: "Oracle Financial Services Applications 14.7.1.0.0", product_id: "T028699", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.1.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.5.0.8.0", product: { name: "Oracle Financial Services Applications 14.5.0.8.0", product_id: "T028700", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.5.0.8.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.6.0.4.0", product: { name: "Oracle Financial Services Applications 14.6.0.4.0", product_id: "T028701", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.6.0.4.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0.0.0", product: { name: "Oracle Financial Services Applications 14.7.0.0.0", product_id: "T028702", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.6.0.3.0", product: { name: "Oracle Financial Services Applications 14.6.0.3.0", product_id: "T028703", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.6.0.3.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0.1.0", product: { name: "Oracle Financial Services Applications 14.7.0.1.0", product_id: "T028704", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2", product: { name: "Oracle Financial Services Applications 8.1.2", product_id: "T028705", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.5", product: { name: "Oracle Financial Services Applications 8.1.2.5", product_id: "T028706", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.5", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0", product: { name: "Oracle Financial Services Applications 14.7.0", product_id: "T028707", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0", }, }, }, ], category: "product_name", name: "Financial Services Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-28708", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28708", }, { cve: "CVE-2023-28439", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28439", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-48285", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-48285", }, { cve: "CVE-2022-46364", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-46364", }, { cve: "CVE-2022-45693", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45693", }, { cve: "CVE-2022-45199", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45199", }, { cve: "CVE-2022-45143", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45143", }, { cve: "CVE-2022-45047", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45047", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-33879", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-33879", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-31692", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-31692", }, { cve: "CVE-2022-31129", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-31129", }, { cve: "CVE-2022-2048", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-2048", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2020-13936", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-13936", }, ], }
WID-SEC-W-2023-1807
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-12-26 23:00
Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1807 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1807.json", }, { category: "self", summary: "WID-SEC-2023-1807 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1807", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Fusion Middleware vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixFMW", }, { category: "external", summary: "Dell Security Advisory DSA-2023-409 vom 2023-12-23", url: "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=", }, ], source_lang: "en-US", title: "Oracle Fusion Middleware: Mehrere Schwachstellen", tracking: { current_release_date: "2023-12-26T23:00:00.000+00:00", generator: { date: "2024-08-15T17:55:51.397+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1807", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-12-26T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Dell aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Fusion Middleware 12.2.1.3.0", product: { name: "Oracle Fusion Middleware 12.2.1.3.0", product_id: "618028", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:12.2.1.3.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 12.2.1.4.0", product: { name: "Oracle Fusion Middleware 12.2.1.4.0", product_id: "751674", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:12.2.1.4.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 14.1.1.0.0", product: { name: "Oracle Fusion Middleware 14.1.1.0.0", product_id: "829576", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:14.1.1.0.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 9.1.0", product: { name: "Oracle Fusion Middleware 9.1.0", product_id: "T022847", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:9.1.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware < 11.1.2.3.1", product: { name: "Oracle Fusion Middleware < 11.1.2.3.1", product_id: "T028708", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:11.1.2.3.1", }, }, }, ], category: "product_name", name: "Fusion Middleware", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-26119", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-26119", }, { cve: "CVE-2023-26049", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-26049", }, { cve: "CVE-2023-25690", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-25690", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-23914", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-23914", }, { cve: "CVE-2023-22899", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-22899", }, { cve: "CVE-2023-22040", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-22040", }, { cve: "CVE-2023-22031", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-22031", }, { cve: "CVE-2023-21994", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-21994", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-20860", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20860", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45047", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45047", }, { cve: "CVE-2022-43680", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-43680", }, { cve: "CVE-2022-42920", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42920", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41853", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41853", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-33879", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-33879", }, { cve: "CVE-2022-31197", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-31197", }, { cve: "CVE-2022-29546", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-29546", }, { cve: "CVE-2022-25647", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-25647", }, { cve: "CVE-2022-24409", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-24409", }, { cve: "CVE-2022-23437", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-23437", }, { cve: "CVE-2021-46877", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-46877", }, { cve: "CVE-2021-43113", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-43113", }, { cve: "CVE-2021-42575", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-42575", }, { cve: "CVE-2021-41184", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-41184", }, { cve: "CVE-2021-4104", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-4104", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-36090", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-36090", }, { cve: "CVE-2021-34429", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-34429", }, { cve: "CVE-2021-33813", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-33813", }, { cve: "CVE-2021-29425", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-29425", }, { cve: "CVE-2021-28168", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-28168", }, { cve: "CVE-2021-26117", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-26117", }, { cve: "CVE-2021-23926", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-23926", }, { cve: "CVE-2020-8908", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-8908", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-17521", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-17521", }, { cve: "CVE-2020-13956", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-13956", }, { cve: "CVE-2020-13936", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-13936", }, ], }
WID-SEC-W-2023-1811
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Construction and Engineering: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Construction and Engineering ist eine Sammlung von Werkzeugen zur Unterstützung von Bau- und Ingenieurbüros. Sie umfasst u. a. Projektmanagement-Lösungen zur Verwaltung von Projekte, zur Schaffung von Transparenz, zur Zusammenarbeit und zur Verwaltung von Änderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Construction and Engineering ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Construction and Engineering ist eine Sammlung von Werkzeugen zur Unterstützung von Bau- und Ingenieurbüros. Sie umfasst u. a. Projektmanagement-Lösungen zur Verwaltung von Projekte, zur Schaffung von Transparenz, zur Zusammenarbeit und zur Verwaltung von Änderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Construction and Engineering ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1811 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1811.json", }, { category: "self", summary: "WID-SEC-2023-1811 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1811", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Construction and Engineering vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixPVA", }, ], source_lang: "en-US", title: "Oracle Construction and Engineering: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:52.560+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1811", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Construction and Engineering <= 18.8.15", product: { name: "Oracle Construction and Engineering <= 18.8.15", product_id: "T024984", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:18.8.15", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 18.8.18", product: { name: "Oracle Construction and Engineering <= 18.8.18", product_id: "T027344", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:18.8.18", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 19.12.16", product: { name: "Oracle Construction and Engineering <= 19.12.16", product_id: "T027345", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:19.12.16", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 20.12.16", product: { name: "Oracle Construction and Engineering <= 20.12.16", product_id: "T027346", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:20.12.16", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 20.12.11", product: { name: "Oracle Construction and Engineering <= 20.12.11", product_id: "T028686", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:20.12.11", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 21.12.9", product: { name: "Oracle Construction and Engineering <= 21.12.9", product_id: "T028687", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:21.12.9", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 21.12.15", product: { name: "Oracle Construction and Engineering <= 21.12.15", product_id: "T028688", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:21.12.15", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 22.12.6", product: { name: "Oracle Construction and Engineering <= 22.12.6", product_id: "T028689", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:22.12.6", }, }, }, ], category: "product_name", name: "Construction and Engineering", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-48285", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-48285", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-37533", }, ], }
wid-sec-w-2024-0054
Vulnerability from csaf_certbund
Published
2024-01-09 23:00
Modified
2024-01-09 23:00
Summary
IBM Security Verify Access: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM Security Verify Access, ehemals IBM Security Access Manager (ISAM), ist eine Zugriffsverwaltungslösung.
Angriff
Ein Angreifer kann mehrere Schwachstellen in IBM Security Verify Access ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen.
Betroffene Betriebssysteme
- Sonstiges
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM Security Verify Access, ehemals IBM Security Access Manager (ISAM), ist eine Zugriffsverwaltungslösung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in IBM Security Verify Access ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen.", title: "Angriff", }, { category: "general", text: "- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0054 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0054.json", }, { category: "self", summary: "WID-SEC-2024-0054 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0054", }, { category: "external", summary: "IBM Security Bulletin 7106586 vom 2024-01-09", url: "https://www.ibm.com/support/pages/node/7106586", }, { category: "external", summary: "IBM Security Bulletin 7106583 vom 2024-01-09", url: "https://www.ibm.com/support/pages/node/7106583", }, ], source_lang: "en-US", title: "IBM Security Verify Access: Mehrere Schwachstellen", tracking: { current_release_date: "2024-01-09T23:00:00.000+00:00", generator: { date: "2024-08-15T18:03:29.433+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0054", initial_release_date: "2024-01-09T23:00:00.000+00:00", revision_history: [ { date: "2024-01-09T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM Security Verify Access < 10.0.7-ISS-ISVA-FP0000", product: { name: "IBM Security Verify Access < 10.0.7-ISS-ISVA-FP0000", product_id: "T031968", product_identification_helper: { cpe: "cpe:/a:ibm:security_verify_access:10.0.7-iss-isva-fp0000", }, }, }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2032-43016", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2032-43016", }, { cve: "CVE-2023-43017", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-43017", }, { cve: "CVE-2023-40225", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-40225", }, { cve: "CVE-2023-39417", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-39417", }, { cve: "CVE-2023-38369", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-38369", }, { cve: "CVE-2023-38267", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-38267", }, { cve: "CVE-2023-32697", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32697", }, { cve: "CVE-2023-32330", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32330", }, { cve: "CVE-2023-32329", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32329", }, { cve: "CVE-2023-32328", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32328", }, { cve: "CVE-2023-32327", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32327", }, { cve: "CVE-2023-31006", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31006", }, { cve: "CVE-2023-31005", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31005", }, { cve: "CVE-2023-31004", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31004", }, { cve: "CVE-2023-31003", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31003", }, { cve: "CVE-2023-31002", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31002", }, { cve: "CVE-2023-31001", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31001", }, { cve: "CVE-2023-30999", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-30999", }, { cve: "CVE-2023-25725", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-25725", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-2455", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-2455", }, { cve: "CVE-2023-2454", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-2454", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-41862", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-41862", }, { cve: "CVE-2022-2625", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-2625", }, { cve: "CVE-2022-2068", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-2068", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2020-11100", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2020-11100", }, { cve: "CVE-2019-19330", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2019-19330", }, { cve: "CVE-2019-18277", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2019-18277", }, { cve: "CVE-2019-18276", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2019-18276", }, { cve: "CVE-2019-14241", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2019-14241", }, { cve: "CVE-2017-18342", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2017-18342", }, { cve: "CVE-2015-5237", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2015-5237", }, ], }
WID-SEC-W-2024-0889
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-04-16 22:00
Summary
Oracle Support Tools: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Die Oracle Support Tools sind eine Sammlung von Werkzeugen zur Wartung und zum Support von Oracle Produkten.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Support Tools ausnutzen, um die Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Die Oracle Support Tools sind eine Sammlung von Werkzeugen zur Wartung und zum Support von Oracle Produkten.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Support Tools ausnutzen, um die Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0889 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0889.json", }, { category: "self", summary: "WID-SEC-2024-0889 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0889", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Support Tools vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixTOOL", }, ], source_lang: "en-US", title: "Oracle Support Tools: Mehrere Schwachstellen", tracking: { current_release_date: "2024-04-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:07:45.520+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0889", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "2.12.44", product: { name: "Oracle Support Tools 2.12.44", product_id: "T034192", product_identification_helper: { cpe: "cpe:/a:oracle:support_tools:2.12.44", }, }, }, { category: "product_version", name: "23.1.23.1.17", product: { name: "Oracle Support Tools 23.1.23.1.17", product_id: "T034193", product_identification_helper: { cpe: "cpe:/a:oracle:support_tools:23.1.23.1.17", }, }, }, { category: "product_version", name: "2.12.45", product: { name: "Oracle Support Tools 2.12.45", product_id: "T034194", product_identification_helper: { cpe: "cpe:/a:oracle:support_tools:2.12.45", }, }, }, { category: "product_version", name: "24.1.24.1.16", product: { name: "Oracle Support Tools 24.1.24.1.16", product_id: "T034195", product_identification_helper: { cpe: "cpe:/a:oracle:support_tools:24.1.24.1.16", }, }, }, ], category: "product_name", name: "Support Tools", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Support Tools existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Integrität und Verfügbarkeit gefährden. Für die Ausnutzung dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T034194", "T034193", "T034192", "T034195", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-48795", notes: [ { category: "description", text: "In Oracle Support Tools existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Integrität und Verfügbarkeit gefährden. Für die Ausnutzung dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T034194", "T034193", "T034192", "T034195", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-48795", }, ], }
wid-sec-w-2024-0889
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-04-16 22:00
Summary
Oracle Support Tools: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Die Oracle Support Tools sind eine Sammlung von Werkzeugen zur Wartung und zum Support von Oracle Produkten.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Support Tools ausnutzen, um die Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Die Oracle Support Tools sind eine Sammlung von Werkzeugen zur Wartung und zum Support von Oracle Produkten.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Support Tools ausnutzen, um die Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0889 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0889.json", }, { category: "self", summary: "WID-SEC-2024-0889 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0889", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Support Tools vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixTOOL", }, ], source_lang: "en-US", title: "Oracle Support Tools: Mehrere Schwachstellen", tracking: { current_release_date: "2024-04-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:07:45.520+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0889", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "2.12.44", product: { name: "Oracle Support Tools 2.12.44", product_id: "T034192", product_identification_helper: { cpe: "cpe:/a:oracle:support_tools:2.12.44", }, }, }, { category: "product_version", name: "23.1.23.1.17", product: { name: "Oracle Support Tools 23.1.23.1.17", product_id: "T034193", product_identification_helper: { cpe: "cpe:/a:oracle:support_tools:23.1.23.1.17", }, }, }, { category: "product_version", name: "2.12.45", product: { name: "Oracle Support Tools 2.12.45", product_id: "T034194", product_identification_helper: { cpe: "cpe:/a:oracle:support_tools:2.12.45", }, }, }, { category: "product_version", name: "24.1.24.1.16", product: { name: "Oracle Support Tools 24.1.24.1.16", product_id: "T034195", product_identification_helper: { cpe: "cpe:/a:oracle:support_tools:24.1.24.1.16", }, }, }, ], category: "product_name", name: "Support Tools", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Support Tools existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Integrität und Verfügbarkeit gefährden. Für die Ausnutzung dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T034194", "T034193", "T034192", "T034195", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-48795", notes: [ { category: "description", text: "In Oracle Support Tools existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Integrität und Verfügbarkeit gefährden. Für die Ausnutzung dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T034194", "T034193", "T034192", "T034195", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-48795", }, ], }
wid-sec-w-2023-1022
Vulnerability from csaf_certbund
Published
2023-04-18 22:00
Modified
2023-04-18 22:00
Summary
Oracle Communications Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1022 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1022.json", }, { category: "self", summary: "WID-SEC-2023-1022 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1022", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Communications Applications vom 2023-04-18", url: "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixCAGBU", }, ], source_lang: "en-US", title: "Oracle Communications Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-04-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:49:25.156+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1022", initial_release_date: "2023-04-18T22:00:00.000+00:00", revision_history: [ { date: "2023-04-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Communications Applications 7.4.0", product: { name: "Oracle Communications Applications 7.4.0", product_id: "T018938", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:7.4.0", }, }, }, { category: "product_name", name: "Oracle Communications Applications 7.4.1", product: { name: "Oracle Communications Applications 7.4.1", product_id: "T018939", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:7.4.1", }, }, }, { category: "product_name", name: "Oracle Communications Applications 7.4.2", product: { name: "Oracle Communications Applications 7.4.2", product_id: "T018940", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:7.4.2", }, }, }, { category: "product_name", name: "Oracle Communications Applications 6.0.1.0.0", product: { name: "Oracle Communications Applications 6.0.1.0.0", product_id: "T021634", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:6.0.1.0.0", }, }, }, { category: "product_name", name: "Oracle Communications Applications 7.5.0", product: { name: "Oracle Communications Applications 7.5.0", product_id: "T021639", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:7.5.0", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 5.5.9", product: { name: "Oracle Communications Applications <= 5.5.9", product_id: "T025857", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:5.5.9", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 6.0.1", product: { name: "Oracle Communications Applications <= 6.0.1", product_id: "T025858", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:6.0.1", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 5.5.10", product: { name: "Oracle Communications Applications <= 5.5.10", product_id: "T027322", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:5.5.10", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 6.0.2", product: { name: "Oracle Communications Applications <= 6.0.2", product_id: "T027323", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:6.0.2", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 12.0.6", product: { name: "Oracle Communications Applications <= 12.0.6", product_id: "T027324", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:12.0.6", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 12.0.6.0.0", product: { name: "Oracle Communications Applications <= 12.0.6.0.0", product_id: "T027325", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:12.0.6.0.0", }, }, }, ], category: "product_name", name: "Communications Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-0662", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-0662", }, { cve: "CVE-2022-46908", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-46908", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-39271", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-39271", }, { cve: "CVE-2022-36760", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-36760", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-31123", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-31123", }, { cve: "CVE-2022-31081", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-31081", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2021-41183", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-41183", }, { cve: "CVE-2020-7009", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-7009", }, { cve: "CVE-2020-35168", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-35168", }, { cve: "CVE-2019-11287", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2019-11287", }, ], }
WID-SEC-W-2024-0888
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-04-16 22:00
Summary
Oracle Systems: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Systems umfasst eine Sammlung von Hardware, Betriebssystemen, Servern und Anwendungen.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Oracle Systems ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Systems umfasst eine Sammlung von Hardware, Betriebssystemen, Servern und Anwendungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in Oracle Systems ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0888 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0888.json", }, { category: "self", summary: "WID-SEC-2024-0888 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0888", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Systems vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixSUNS", }, ], source_lang: "en-US", title: "Oracle Systems: Mehrere Schwachstellen", tracking: { current_release_date: "2024-04-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:07:45.335+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0888", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "8.8", product: { name: "Oracle Systems 8.8", product_id: "T019057", product_identification_helper: { cpe: "cpe:/a:oracle:systems:8.8", }, }, }, { category: "product_version", name: "11", product: { name: "Oracle Systems 11", product_id: "T019059", product_identification_helper: { cpe: "cpe:/a:oracle:systems:11", }, }, }, { category: "product_version", name: "4", product: { name: "Oracle Systems 4", product_id: "T022889", product_identification_helper: { cpe: "cpe:/a:oracle:systems:4", }, }, }, { category: "product_version", name: "2.5", product: { name: "Oracle Systems 2.5", product_id: "T034196", product_identification_helper: { cpe: "cpe:/a:oracle:systems:2.5", }, }, }, ], category: "product_name", name: "Systems", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2020-35168", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2020-35168", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2022-24839", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-24839", }, { cve: "CVE-2022-34381", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-34381", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-42920", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42920", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2024-20999", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-20999", }, { cve: "CVE-2024-21059", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21059", }, { cve: "CVE-2024-21104", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21104", }, { cve: "CVE-2024-21105", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21105", }, ], }
WID-SEC-W-2024-0871
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-04-16 22:00
Summary
Oracle Commerce: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Commerce ist eine elektronische Handelsplattform.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Commerce ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Commerce ist eine elektronische Handelsplattform.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Commerce ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0871 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0871.json", }, { category: "self", summary: "WID-SEC-2024-0871 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0871", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Commerce vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixOCOM", }, ], source_lang: "en-US", title: "Oracle Commerce: Mehrere Schwachstellen", tracking: { current_release_date: "2024-04-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:07:40.784+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0871", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "11.3.0", product: { name: "Oracle Commerce 11.3.0", product_id: "T018931", product_identification_helper: { cpe: "cpe:/a:oracle:commerce:11.3.0", }, }, }, { category: "product_version", name: "11.3.1", product: { name: "Oracle Commerce 11.3.1", product_id: "T018932", product_identification_helper: { cpe: "cpe:/a:oracle:commerce:11.3.1", }, }, }, { category: "product_version", name: "11.3.2", product: { name: "Oracle Commerce 11.3.2", product_id: "T018933", product_identification_helper: { cpe: "cpe:/a:oracle:commerce:11.3.2", }, }, }, ], category: "product_name", name: "Commerce", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-46364", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-46364", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-2976", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-2976", }, { cve: "CVE-2023-41080", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-41080", }, { cve: "CVE-2023-5072", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-5072", }, { cve: "CVE-2024-21100", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21100", }, ], }
wid-sec-w-2023-1755
Vulnerability from csaf_certbund
Published
2023-07-16 22:00
Modified
2023-07-16 22:00
Summary
IBM InfoSphere Information Server: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.
Angriff
Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1755 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1755.json", }, { category: "self", summary: "WID-SEC-2023-1755 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1755", }, { category: "external", summary: "IBM Security Bulletin: 7007051 vom 2023-07-16", url: "https://www.ibm.com/support/pages/node/7007051", }, { category: "external", summary: "IBM Security Bulletin: 6988683 vom 2023-07-16", url: "https://www.ibm.com/support/pages/node/6988683", }, { category: "external", summary: "IBM Security Bulletin: 6988679 vom 2023-07-16", url: "https://www.ibm.com/support/pages/node/6988679", }, { category: "external", summary: "IBM Security Bulletin: 6988677 vom 2023-07-16", url: "https://www.ibm.com/support/pages/node/6988677", }, ], source_lang: "en-US", title: "IBM InfoSphere Information Server: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-16T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:36.670+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1755", initial_release_date: "2023-07-16T22:00:00.000+00:00", revision_history: [ { date: "2023-07-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM InfoSphere Information Server 11.7", product: { name: "IBM InfoSphere Information Server 11.7", product_id: "444803", product_identification_helper: { cpe: "cpe:/a:ibm:infosphere_information_server:11.7", }, }, }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2023-2861", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-2861", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-20860", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-20860", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-1108", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-1108", }, { cve: "CVE-2022-4492", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-4492", }, { cve: "CVE-2022-41854", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-41854", }, { cve: "CVE-2022-38752", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-38752", }, { cve: "CVE-2022-38751", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-38751", }, { cve: "CVE-2022-38750", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-38750", }, { cve: "CVE-2022-38749", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-38749", }, { cve: "CVE-2022-25857", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-25857", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2022-1259", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-1259", }, ], }
WID-SEC-W-2023-2687
Vulnerability from csaf_certbund
Published
2023-10-17 22:00
Modified
2023-10-17 22:00
Summary
Oracle Siebel CRM: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Siebel CRM ist eine CRM-Lösung von Oracle.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Siebel CRM ausnutzen, um die Vertraulichkeit und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Siebel CRM ist eine CRM-Lösung von Oracle.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Siebel CRM ausnutzen, um die Vertraulichkeit und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2687 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2687.json", }, { category: "self", summary: "WID-SEC-2023-2687 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2687", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - October 2023 - Appendix Oracle Siebel CRM vom 2023-10-17", url: "https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixSECR", }, ], source_lang: "en-US", title: "Oracle Siebel CRM: Mehrere Schwachstellen", tracking: { current_release_date: "2023-10-17T22:00:00.000+00:00", generator: { date: "2024-08-15T18:00:04.829+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2687", initial_release_date: "2023-10-17T22:00:00.000+00:00", revision_history: [ { date: "2023-10-17T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Oracle Siebel CRM <= 23.8", product: { name: "Oracle Siebel CRM <= 23.8", product_id: "T030617", product_identification_helper: { cpe: "cpe:/a:oracle:siebel_crm:23.8", }, }, }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Siebel CRM existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T030617", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Siebel CRM existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T030617", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-37533", }, ], }
wid-sec-w-2023-1602
Vulnerability from csaf_certbund
Published
2023-06-29 22:00
Modified
2023-10-03 22:00
Summary
Elasticsearch: Schwachstelle ermöglicht Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Elasticsearch ist eine Open Source, verteilte Echtzeit-Suche und Analyse-Engine.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Elasticsearch ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Elasticsearch ist eine Open Source, verteilte Echtzeit-Suche und Analyse-Engine.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Elasticsearch ausnutzen, um einen Denial of Service Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows\n- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1602 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1602.json", }, { category: "self", summary: "WID-SEC-2023-1602 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1602", }, { category: "external", summary: "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03", url: "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html", }, { category: "external", summary: "Elastic Security Announcement ESA-2023-09 vom 2023-07-18", url: "https://discuss.elastic.co/t/elastic-cloud-enterprise-ece-2-13-3-3-3-0-security-update/338650", }, { category: "external", summary: "Elasticsearch 8.8.2, 7.17.11 Security Update vom 2023-06-29", url: "https://discuss.elastic.co/t/subject-elasticsearch-8-8-2-7-17-11-security-update/337205", }, ], source_lang: "en-US", title: "Elasticsearch: Schwachstelle ermöglicht Denial of Service", tracking: { current_release_date: "2023-10-03T22:00:00.000+00:00", generator: { date: "2024-08-15T17:53:56.255+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1602", initial_release_date: "2023-06-29T22:00:00.000+00:00", revision_history: [ { date: "2023-06-29T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-07-17T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Elastic aufgenommen", }, { date: "2023-08-10T22:00:00.000+00:00", number: "3", summary: "Korrektur Produktzuordnung", }, { date: "2023-10-03T22:00:00.000+00:00", number: "4", summary: "Neue Updates von HITACHI aufgenommen", }, ], status: "final", version: "4", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Hitachi Ops Center < Analyzer 10.9.3-00", product: { name: "Hitachi Ops Center < Analyzer 10.9.3-00", product_id: "T030196", product_identification_helper: { cpe: "cpe:/a:hitachi:ops_center:analyzer_10.9.3-00", }, }, }, { category: "product_name", name: "Hitachi Ops Center < Viewpoint 10.9.3-00", product: { name: "Hitachi Ops Center < Viewpoint 10.9.3-00", product_id: "T030197", product_identification_helper: { cpe: "cpe:/a:hitachi:ops_center:viewpoint_10.9.3-00", }, }, }, ], category: "product_name", name: "Ops Center", }, ], category: "vendor", name: "Hitachi", }, { branches: [ { branches: [ { category: "product_name", name: "Open Source Elasticsearch < 8.8.2", product: { name: "Open Source Elasticsearch < 8.8.2", product_id: "T028370", product_identification_helper: { cpe: "cpe:/a:elasticsearch:elasticsearch:8.8.2", }, }, }, { category: "product_name", name: "Open Source Elasticsearch < 7.17.11", product: { name: "Open Source Elasticsearch < 7.17.11", product_id: "T028371", product_identification_helper: { cpe: "cpe:/a:elasticsearch:elasticsearch:7.17.11", }, }, }, ], category: "product_name", name: "Elasticsearch", }, ], category: "vendor", name: "Open Source", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Elasticsearch. Diese besteht aufgrund der Verwendung einer transitiven Abhängigkeit zu \"json-smart\", die verschachtelte Arrays auf unsichere Weise parst. Es sind nur Nutzer betroffen, die mindestens einen OpenID Connect-Authentifizierungsbereich oder mindestens einen JWT-Authentifizierungsbereich konfiguriert haben. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service zu verursachen.", }, ], product_status: { known_affected: [ "T030196", "T030197", ], }, release_date: "2023-06-29T22:00:00.000+00:00", title: "CVE-2023-1370", }, ], }
WID-SEC-W-2024-0124
Vulnerability from csaf_certbund
Published
2024-01-16 23:00
Modified
2024-01-16 23:00
Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0124 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0124.json", }, { category: "self", summary: "WID-SEC-2024-0124 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0124", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Financial Services Applications vom 2024-01-16", url: "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixIFLX", }, ], source_lang: "en-US", title: "Oracle Financial Services Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2024-01-16T23:00:00.000+00:00", generator: { date: "2024-08-15T18:03:50.294+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0124", initial_release_date: "2024-01-16T23:00:00.000+00:00", revision_history: [ { date: "2024-01-16T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Financial Services Applications 2.7.1", product: { name: "Oracle Financial Services Applications 2.7.1", product_id: "T018979", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.7.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.8.0", product: { name: "Oracle Financial Services Applications 2.8.0", product_id: "T018980", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.8.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.9.0", product: { name: "Oracle Financial Services Applications 2.9.0", product_id: "T018981", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.9.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.0", product: { name: "Oracle Financial Services Applications 8.1.0", product_id: "T018983", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.9", product: { name: "Oracle Financial Services Applications 8.0.9", product_id: "T019890", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.9", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.1", product: { name: "Oracle Financial Services Applications 8.1.1", product_id: "T019891", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.7", product: { name: "Oracle Financial Services Applications 8.0.7", product_id: "T021676", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8", product: { name: "Oracle Financial Services Applications 8.0.8", product_id: "T021677", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.1.1", product: { name: "Oracle Financial Services Applications 8.1.1.1", product_id: "T022835", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8.1", product: { name: "Oracle Financial Services Applications 8.0.8.1", product_id: "T022844", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8.2", product: { name: "Oracle Financial Services Applications 8.0.8.2", product_id: "T024990", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.9.1", product: { name: "Oracle Financial Services Applications 2.9.1", product_id: "T027359", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.9.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2", product: { name: "Oracle Financial Services Applications 8.1.2", product_id: "T028705", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.5", product: { name: "Oracle Financial Services Applications 8.1.2.5", product_id: "T028706", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.5", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.7.0", product: { name: "Oracle Financial Services Applications <= 14.7.0", product_id: "T028707", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.1.0", product: { name: "Oracle Financial Services Applications 22.1.0", product_id: "T032101", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.2.0", product: { name: "Oracle Financial Services Applications 22.2.0", product_id: "T032102", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.2.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 21.1.0", product: { name: "Oracle Financial Services Applications 21.1.0", product_id: "T032103", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:21.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.6", product: { name: "Oracle Financial Services Applications 8.1.2.6", product_id: "T032104", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.6", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.1.0", product: { name: "Oracle Financial Services Applications 19.1.0", product_id: "T032105", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 5.0.0", product: { name: "Oracle Financial Services Applications 5.0.0", product_id: "T032106", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:5.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 5.1.0", product: { name: "Oracle Financial Services Applications 5.1.0", product_id: "T032107", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:5.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 3.2.0", product: { name: "Oracle Financial Services Applications <= 3.2.0", product_id: "T032108", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:3.2.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 4.0.0", product: { name: "Oracle Financial Services Applications 4.0.0", product_id: "T032109", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:4.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 6.0.0", product: { name: "Oracle Financial Services Applications 6.0.0", product_id: "T032110", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:6.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0.3.0", product: { name: "Oracle Financial Services Applications 14.7.0.3.0", product_id: "T032111", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.3.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 3.0.0", product: { name: "Oracle Financial Services Applications 3.0.0", product_id: "T032112", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:3.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 3.1.0", product: { name: "Oracle Financial Services Applications 3.1.0", product_id: "T032113", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:3.1.0", }, }, }, ], category: "product_name", name: "Financial Services Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-5072", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-5072", }, { cve: "CVE-2023-46604", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-46604", }, { cve: "CVE-2023-44483", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-44483", }, { cve: "CVE-2023-42503", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-42503", }, { cve: "CVE-2023-34034", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-34034", }, { cve: "CVE-2023-33201", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-33201", }, { cve: "CVE-2023-2976", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-2976", }, { cve: "CVE-2023-2618", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-2618", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-21901", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-21901", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-44729", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-44729", }, { cve: "CVE-2022-42920", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-42920", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-36944", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-36944", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-34169", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-34169", }, { cve: "CVE-2022-31692", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-31692", }, { cve: "CVE-2022-31160", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-31160", }, { cve: "CVE-2022-25147", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-25147", }, { cve: "CVE-2022-22979", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-22979", }, { cve: "CVE-2022-22969", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-22969", }, { cve: "CVE-2020-5410", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2020-5410", }, { cve: "CVE-2020-15250", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2020-15250", }, ], }
wid-sec-w-2024-1639
Vulnerability from csaf_certbund
Published
2024-07-16 22:00
Modified
2024-07-16 22:00
Summary
Oracle Enterprise Manager: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle für Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle für Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-1639 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1639.json", }, { category: "self", summary: "WID-SEC-2024-1639 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1639", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2024 - Appendix Oracle Enterprise Manager vom 2024-07-16", url: "https://www.oracle.com/security-alerts/cpujul2024.html#AppendixEM", }, ], source_lang: "en-US", title: "Oracle Enterprise Manager: Mehrere Schwachstellen", tracking: { current_release_date: "2024-07-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:11:26.530+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-1639", initial_release_date: "2024-07-16T22:00:00.000+00:00", revision_history: [ { date: "2024-07-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "13.5.0.0", product: { name: "Oracle Enterprise Manager 13.5.0.0", product_id: "1578093", product_identification_helper: { cpe: "cpe:/a:oracle:enterprise_manager:13.5.0.0", }, }, }, { category: "product_version", name: "13.3.0.1", product: { name: "Oracle Enterprise Manager 13.3.0.1", product_id: "T018974", product_identification_helper: { cpe: "cpe:/a:oracle:enterprise_manager:13.3.0.1", }, }, }, ], category: "product_name", name: "Enterprise Manager", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "1578093", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "1578093", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-40167", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "1578093", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-40167", }, { cve: "CVE-2023-48795", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "1578093", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-48795", }, ], }
wid-sec-w-2023-1350
Vulnerability from csaf_certbund
Published
2023-06-01 22:00
Modified
2024-02-15 23:00
Summary
Splunk Splunk Enterprise: Mehrere Schwachstellen in Komponenten von Drittanbietern
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Splunk Enterprise ermöglicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Splunk Splunk Enterprise in diversen Komponenten von Drittanbietern ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Splunk Enterprise ermöglicht Monitoring und Analyse von Clickstream-Daten und Kundentransaktionen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in Splunk Splunk Enterprise in diversen Komponenten von Drittanbietern ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows\n- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1350 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1350.json", }, { category: "self", summary: "WID-SEC-2023-1350 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1350", }, { category: "external", summary: "Splunk Enterprise Security Advisory SVD-2023-0613 vom 2023-06-01", url: "https://advisory.splunk.com/advisories/SVD-2023-0613", }, { category: "external", summary: "IBM Security Bulletin 7008449 vom 2023-06-29", url: "https://www.ibm.com/support/pages/node/7008449", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:0196-1 vom 2024-01-23", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-January/017743.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:0487-1 vom 2024-02-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-February/017931.html", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:0486-1 vom 2024-02-15", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-February/017932.html", }, ], source_lang: "en-US", title: "Splunk Splunk Enterprise: Mehrere Schwachstellen in Komponenten von Drittanbietern", tracking: { current_release_date: "2024-02-15T23:00:00.000+00:00", generator: { date: "2024-08-15T17:51:43.161+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1350", initial_release_date: "2023-06-01T22:00:00.000+00:00", revision_history: [ { date: "2023-06-01T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-06-29T22:00:00.000+00:00", number: "2", summary: "Neue Updates von IBM aufgenommen", }, { date: "2024-01-23T23:00:00.000+00:00", number: "3", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-02-15T23:00:00.000+00:00", number: "4", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "4", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM DB2", product: { name: "IBM DB2", product_id: "5104", product_identification_helper: { cpe: "cpe:/a:ibm:db2:-", }, }, }, ], category: "vendor", name: "IBM", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, { branches: [ { branches: [ { category: "product_version_range", name: "< 8.1.14", product: { name: "Splunk Splunk Enterprise < 8.1.14", product_id: "T027935", }, }, { category: "product_version_range", name: "< 8.2.11", product: { name: "Splunk Splunk Enterprise < 8.2.11", product_id: "T027936", }, }, { category: "product_version_range", name: "< 9.0.5", product: { name: "Splunk Splunk Enterprise < 9.0.5", product_id: "T027937", }, }, ], category: "product_name", name: "Splunk Enterprise", }, ], category: "vendor", name: "Splunk", }, ], }, vulnerabilities: [ { cve: "CVE-2023-27538", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27538", }, { cve: "CVE-2023-27537", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27537", }, { cve: "CVE-2023-27536", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27536", }, { cve: "CVE-2023-27535", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27535", }, { cve: "CVE-2023-27534", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27534", }, { cve: "CVE-2023-27533", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-27533", }, { cve: "CVE-2023-23916", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-23916", }, { cve: "CVE-2023-23915", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-23915", }, { cve: "CVE-2023-23914", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-23914", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-0286", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-0286", }, { cve: "CVE-2023-0215", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2023-0215", }, { cve: "CVE-2022-46175", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-46175", }, { cve: "CVE-2022-43680", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-43680", }, { cve: "CVE-2022-43552", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-43552", }, { cve: "CVE-2022-43551", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-43551", }, { cve: "CVE-2022-4304", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-4304", }, { cve: "CVE-2022-42916", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-42916", }, { cve: "CVE-2022-42915", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-42915", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-4200", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-4200", }, { cve: "CVE-2022-41720", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-41720", }, { cve: "CVE-2022-41716", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-41716", }, { cve: "CVE-2022-41715", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-41715", }, { cve: "CVE-2022-40304", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-40304", }, { cve: "CVE-2022-40303", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-40303", }, { cve: "CVE-2022-40023", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-40023", }, { cve: "CVE-2022-38900", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-38900", }, { cve: "CVE-2022-37616", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37616", }, { cve: "CVE-2022-37603", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37603", }, { cve: "CVE-2022-37601", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37601", }, { cve: "CVE-2022-37599", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37599", }, { cve: "CVE-2022-37434", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-37434", }, { cve: "CVE-2022-36227", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-36227", }, { cve: "CVE-2022-35737", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-35737", }, { cve: "CVE-2022-35260", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-35260", }, { cve: "CVE-2022-35252", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-35252", }, { cve: "CVE-2022-3517", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-3517", }, { cve: "CVE-2022-33987", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-33987", }, { cve: "CVE-2022-32221", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32221", }, { cve: "CVE-2022-32208", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32208", }, { cve: "CVE-2022-32207", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32207", }, { cve: "CVE-2022-32206", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32206", }, { cve: "CVE-2022-32205", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32205", }, { cve: "CVE-2022-32189", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32189", }, { cve: "CVE-2022-32148", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-32148", }, { cve: "CVE-2022-31129", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-31129", }, { cve: "CVE-2022-30635", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30635", }, { cve: "CVE-2022-30634", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30634", }, { cve: "CVE-2022-30633", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30633", }, { cve: "CVE-2022-30632", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30632", }, { cve: "CVE-2022-30631", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30631", }, { cve: "CVE-2022-30630", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30630", }, { cve: "CVE-2022-30629", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30629", }, { cve: "CVE-2022-30580", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30580", }, { cve: "CVE-2022-30115", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-30115", }, { cve: "CVE-2022-29804", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-29804", }, { cve: "CVE-2022-29526", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-29526", }, { cve: "CVE-2022-2880", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-2880", }, { cve: "CVE-2022-2879", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-2879", }, { cve: "CVE-2022-28327", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-28327", }, { cve: "CVE-2022-28131", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-28131", }, { cve: "CVE-2022-27782", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27782", }, { cve: "CVE-2022-27781", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27781", }, { cve: "CVE-2022-27780", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27780", }, { cve: "CVE-2022-27779", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27779", }, { cve: "CVE-2022-27778", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27778", }, { cve: "CVE-2022-27776", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27776", }, { cve: "CVE-2022-27775", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27775", }, { cve: "CVE-2022-27774", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27774", }, { cve: "CVE-2022-27664", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27664", }, { cve: "CVE-2022-27191", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-27191", }, { cve: "CVE-2022-25858", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-25858", }, { cve: "CVE-2022-24999", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-24999", }, { cve: "CVE-2022-24921", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-24921", }, { cve: "CVE-2022-24675", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-24675", }, { cve: "CVE-2022-23806", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-23806", }, { cve: "CVE-2022-23773", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-23773", }, { cve: "CVE-2022-23772", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-23772", }, { cve: "CVE-2022-23491", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-23491", }, { cve: "CVE-2022-22576", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-22576", }, { cve: "CVE-2022-1962", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-1962", }, { cve: "CVE-2022-1705", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2022-1705", }, { cve: "CVE-2021-43565", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-43565", }, { cve: "CVE-2021-3803", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-3803", }, { cve: "CVE-2021-36976", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-36976", }, { cve: "CVE-2021-3520", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-3520", }, { cve: "CVE-2021-33587", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-33587", }, { cve: "CVE-2021-33503", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-33503", }, { cve: "CVE-2021-33502", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-33502", }, { cve: "CVE-2021-31566", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-31566", }, { cve: "CVE-2021-29060", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-29060", }, { cve: "CVE-2021-27292", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-27292", }, { cve: "CVE-2021-23382", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-23382", }, { cve: "CVE-2021-23368", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-23368", }, { cve: "CVE-2021-23343", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-23343", }, { cve: "CVE-2021-22947", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22947", }, { cve: "CVE-2021-22946", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22946", }, { cve: "CVE-2021-22945", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22945", }, { cve: "CVE-2021-22926", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22926", }, { cve: "CVE-2021-22925", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22925", }, { cve: "CVE-2021-22924", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22924", }, { cve: "CVE-2021-22923", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22923", }, { cve: "CVE-2021-22922", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22922", }, { cve: "CVE-2021-22901", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22901", }, { cve: "CVE-2021-22898", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22898", }, { cve: "CVE-2021-22897", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22897", }, { cve: "CVE-2021-22890", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22890", }, { cve: "CVE-2021-22876", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-22876", }, { cve: "CVE-2021-20095", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2021-20095", }, { cve: "CVE-2020-8286", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8286", }, { cve: "CVE-2020-8285", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8285", }, { cve: "CVE-2020-8284", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8284", }, { cve: "CVE-2020-8231", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8231", }, { cve: "CVE-2020-8203", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8203", }, { cve: "CVE-2020-8177", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8177", }, { cve: "CVE-2020-8169", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8169", }, { cve: "CVE-2020-8116", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-8116", }, { cve: "CVE-2020-7774", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-7774", }, { cve: "CVE-2020-7753", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-7753", }, { cve: "CVE-2020-7662", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-7662", }, { cve: "CVE-2020-28469", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-28469", }, { cve: "CVE-2020-15138", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-15138", }, { cve: "CVE-2020-13822", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2020-13822", }, { cve: "CVE-2019-20149", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2019-20149", }, { cve: "CVE-2019-10746", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2019-10746", }, { cve: "CVE-2019-10744", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2019-10744", }, { cve: "CVE-2018-25032", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2018-25032", }, { cve: "CVE-2017-16042", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Splunk Splunk Enterprise in zahlreichen Komponenten von Drittanbietern (OpenSSL, curl, go, zlib, SQLite, json und weitere), die zum aktuellen Zeitpunkt nicht im Detail beschrieben und veröffentlicht wurden. Ein Angreifer kann diese Schwachstellen ausnutzen, um nicht näher spezifizierte Auswirkungen zu verursachen.", }, ], product_status: { known_affected: [ "T002207", "5104", ], }, release_date: "2023-06-01T22:00:00.000+00:00", title: "CVE-2017-16042", }, ], }
WID-SEC-W-2024-0257
Vulnerability from csaf_certbund
Published
2024-01-30 23:00
Modified
2024-02-01 23:00
Summary
IBM QRadar SIEM User Behavior Analytics: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.
Angriff
Ein anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM QRadar Security Information and Event Management (SIEM) bietet Unterstützung bei der Erkennung und Priorisierung von Sicherheitsbedrohungen im Unternehmen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein anonymer Angreifer kann mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics ausnutzen, um einen Denial-of-Service-Zustand herbeizuführen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0257 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0257.json", }, { category: "self", summary: "WID-SEC-2024-0257 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0257", }, { category: "external", summary: "IBM Security Bulletin vom 2024-01-30", url: "https://www.ibm.com/support/pages/node/7112498", }, ], source_lang: "en-US", title: "IBM QRadar SIEM User Behavior Analytics: Mehrere Schwachstellen", tracking: { current_release_date: "2024-02-01T23:00:00.000+00:00", generator: { date: "2024-08-15T18:04:41.191+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0257", initial_release_date: "2024-01-30T23:00:00.000+00:00", revision_history: [ { date: "2024-01-30T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-02-01T23:00:00.000+00:00", number: "2", summary: "Produkt angepasst", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM QRadar SIEM User Behavior Analytics < 4.1.14", product: { name: "IBM QRadar SIEM User Behavior Analytics < 4.1.14", product_id: "T032482", product_identification_helper: { cpe: "cpe:/a:ibm:qradar_siem:user_behavior_analytics__4.1.14", }, }, }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2023-31484", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2023-31484", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2021-4048", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-4048", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-23445", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM QRadar SIEM User Behavior Analytics. Diese Fehler bestehen in mehreren Komponenten wie CPAN.pm oder datatables.net, unter anderem aufgrund mehrerer sicherheitsrelevanter Probleme wie einer unsachgemäßen Validierung von TLS-Zertifikaten, einem Out-of-Bounds-Read oder einer unsachgemäßen Validierung der vom Benutzer bereitgestellten Eingaben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial-of-Service-Zustand auszulösen, einen Man-in-the-Middle-Angriff durchzuführen oder vertrauliche Informationen offenzulegen.", }, ], release_date: "2024-01-30T23:00:00.000+00:00", title: "CVE-2021-23445", }, ], }
wid-sec-w-2023-2687
Vulnerability from csaf_certbund
Published
2023-10-17 22:00
Modified
2023-10-17 22:00
Summary
Oracle Siebel CRM: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Siebel CRM ist eine CRM-Lösung von Oracle.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Siebel CRM ausnutzen, um die Vertraulichkeit und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Siebel CRM ist eine CRM-Lösung von Oracle.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Siebel CRM ausnutzen, um die Vertraulichkeit und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2687 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2687.json", }, { category: "self", summary: "WID-SEC-2023-2687 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2687", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - October 2023 - Appendix Oracle Siebel CRM vom 2023-10-17", url: "https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixSECR", }, ], source_lang: "en-US", title: "Oracle Siebel CRM: Mehrere Schwachstellen", tracking: { current_release_date: "2023-10-17T22:00:00.000+00:00", generator: { date: "2024-08-15T18:00:04.829+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2687", initial_release_date: "2023-10-17T22:00:00.000+00:00", revision_history: [ { date: "2023-10-17T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Oracle Siebel CRM <= 23.8", product: { name: "Oracle Siebel CRM <= 23.8", product_id: "T030617", product_identification_helper: { cpe: "cpe:/a:oracle:siebel_crm:23.8", }, }, }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Siebel CRM existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T030617", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Siebel CRM existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T030617", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-37533", }, ], }
WID-SEC-W-2023-1142
Vulnerability from csaf_certbund
Published
2023-05-03 22:00
Modified
2024-02-28 23:00
Summary
Red Hat Integration Camel for Spring Boot: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Integration Camel for Spring Boot ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Integration Camel for Spring Boot ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1142 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1142.json", }, { category: "self", summary: "WID-SEC-2023-1142 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1142", }, { category: "external", summary: "RedHat Security Advisory vom 2023-05-03", url: "https://access.redhat.com/errata/RHSA-2023:2100", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3179 vom 2023-05-17", url: "https://access.redhat.com/errata/RHSA-2023:3179", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3193 vom 2023-05-17", url: "https://access.redhat.com/errata/RHSA-2023:3193", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3622 vom 2023-06-15", url: "https://access.redhat.com/errata/RHSA-2023:3622", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3667 vom 2023-06-19", url: "https://access.redhat.com/errata/RHSA-2023:3667", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3626 vom 2023-06-23", url: "https://access.redhat.com/errata/RHSA-2023:3626", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3625 vom 2023-06-23", url: "https://access.redhat.com/errata/RHSA-2023:3625", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3906 vom 2023-06-28", url: "https://access.redhat.com/errata/RHSA-2023:3906", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3954 vom 2023-06-29", url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS2-2023-2165 vom 2023-07-26", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2165.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4506 vom 2023-08-07", url: "https://access.redhat.com/errata/RHSA-2023:4506", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4507 vom 2023-08-07", url: "https://access.redhat.com/errata/RHSA-2023:4507", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4505 vom 2023-08-07", url: "https://access.redhat.com/errata/RHSA-2023:4505", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4509 vom 2023-08-07", url: "https://access.redhat.com/errata/RHSA-2023:4509", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4612 vom 2023-08-16", url: "https://access.redhat.com/errata/RHSA-2023:4612", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4919 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4919", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4921 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4921", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4924 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4924", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4918 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4918", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4920 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4920", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:7670 vom 2023-12-06", url: "https://access.redhat.com/errata/RHSA-2023:7670", }, { category: "external", summary: "Dell Security Advisory DSA-2023-300 vom 2023-12-22", url: "https://www.dell.com/support/kbdoc/000220649/dsa-2023-=", }, { category: "external", summary: "Dell Security Advisory DSA-2023-409 vom 2023-12-23", url: "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2024-1910 vom 2024-01-23", url: "https://alas.aws.amazon.com/ALAS-2024-1910.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:1027 vom 2024-02-28", url: "https://access.redhat.com/errata/RHSA-2024:1027", }, ], source_lang: "en-US", title: "Red Hat Integration Camel for Spring Boot: Mehrere Schwachstellen", tracking: { current_release_date: "2024-02-28T23:00:00.000+00:00", generator: { date: "2024-08-15T17:50:22.698+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1142", initial_release_date: "2023-05-03T22:00:00.000+00:00", revision_history: [ { date: "2023-05-03T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-05-18T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-15T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-19T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-25T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-28T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-29T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-07-25T22:00:00.000+00:00", number: "8", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2023-08-07T22:00:00.000+00:00", number: "9", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-08-16T22:00:00.000+00:00", number: "10", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-08-31T22:00:00.000+00:00", number: "11", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-12-06T23:00:00.000+00:00", number: "12", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-12-21T23:00:00.000+00:00", number: "13", summary: "Neue Updates von Dell aufgenommen", }, { date: "2023-12-26T23:00:00.000+00:00", number: "14", summary: "Neue Updates von Dell aufgenommen", }, { date: "2024-01-22T23:00:00.000+00:00", number: "15", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2024-02-28T23:00:00.000+00:00", number: "16", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "16", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { category: "product_name", name: "Dell NetWorker", product: { name: "Dell NetWorker", product_id: "T024663", product_identification_helper: { cpe: "cpe:/a:dell:networker:-", }, }, }, ], category: "vendor", name: "Dell", }, { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, { category: "product_version_range", name: "Integration Camel for Spring Boot < 3.20.1", product: { name: "Red Hat Enterprise Linux Integration Camel for Spring Boot < 3.20.1", product_id: "T027614", }, }, ], category: "product_name", name: "Enterprise Linux", }, { branches: [ { category: "product_version", name: "Camel Extensions for Quarkus 1", product: { name: "Red Hat Integration Camel Extensions for Quarkus 1", product_id: "T026453", product_identification_helper: { cpe: "cpe:/a:redhat:integration:camel_extensions_for_quarkus_1", }, }, }, ], category: "product_name", name: "Integration", }, { branches: [ { category: "product_version_range", name: "Container Platform < 4.10.62", product: { name: "Red Hat OpenShift Container Platform < 4.10.62", product_id: "T028308", }, }, { category: "product_version", name: "Application Runtimes", product: { name: "Red Hat OpenShift Application Runtimes", product_id: "T029341", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:application_runtimes", }, }, }, ], category: "product_name", name: "OpenShift", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-22602", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-22602", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-20860", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-20860", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-4492", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-4492", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-41854", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41854", }, { cve: "CVE-2022-41853", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41853", }, { cve: "CVE-2022-41852", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41852", }, { cve: "CVE-2022-41704", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41704", }, { cve: "CVE-2022-40156", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40156", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-40151", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40151", }, { cve: "CVE-2022-40150", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40150", }, { cve: "CVE-2022-40146", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40146", }, { cve: "CVE-2022-39368", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-39368", }, { cve: "CVE-2022-38752", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38752", }, { cve: "CVE-2022-38751", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38751", }, { cve: "CVE-2022-38750", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38750", }, { cve: "CVE-2022-38749", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38749", }, { cve: "CVE-2022-38648", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38648", }, { cve: "CVE-2022-38398", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38398", }, { cve: "CVE-2022-37866", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-37866", }, { cve: "CVE-2022-37865", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-37865", }, { cve: "CVE-2022-33681", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-33681", }, { cve: "CVE-2022-31777", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-31777", }, { cve: "CVE-2022-25857", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-25857", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2021-37533", }, ], }
wid-sec-w-2024-0874
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-04-16 22:00
Summary
Oracle Enterprise Manager: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle für Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle für Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0874 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0874.json", }, { category: "self", summary: "WID-SEC-2024-0874 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0874", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Enterprise Manager vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixEM", }, ], source_lang: "en-US", title: "Oracle Enterprise Manager: Mehrere Schwachstellen", tracking: { current_release_date: "2024-04-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:07:41.950+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0874", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "13.3.0.1", product: { name: "Oracle Enterprise Manager 13.3.0.1", product_id: "T018974", product_identification_helper: { cpe: "cpe:/a:oracle:enterprise_manager:13.3.0.1", }, }, }, { category: "product_version", name: "13.5.0.0", product: { name: "Oracle Enterprise Manager 13.5.0.0", product_id: "T020692", product_identification_helper: { cpe: "cpe:/a:oracle:enterprise_manager:13.5.0.0", }, }, }, ], category: "product_name", name: "Enterprise Manager", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2021-36770", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2021-36770", }, { cve: "CVE-2022-34381", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-34381", }, { cve: "CVE-2022-42920", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42920", }, { cve: "CVE-2022-46337", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-46337", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-42503", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-42503", }, { cve: "CVE-2023-44487", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-44487", }, { cve: "CVE-2023-48795", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-48795", }, { cve: "CVE-2024-21067", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21067", }, ], }
WID-SEC-W-2023-1782
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Utilities Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Utilities Applications ist eine Produktfamilie mit branchenspezifischen Lösungen für Ver- und Entsorger.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Utilities Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Utilities Applications ist eine Produktfamilie mit branchenspezifischen Lösungen für Ver- und Entsorger.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Utilities Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows\n- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1782 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1782.json", }, { category: "self", summary: "WID-SEC-2023-1782 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1782", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Utilities Applications vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixUTIL", }, ], source_lang: "en-US", title: "Oracle Utilities Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:44.342+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1782", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Utilities Applications 2.5.0.2", product: { name: "Oracle Utilities Applications 2.5.0.2", product_id: "T028753", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:2.5.0.2", }, }, }, { category: "product_name", name: "Oracle Utilities Applications <= 7.0.0.0", product: { name: "Oracle Utilities Applications <= 7.0.0.0", product_id: "T028754", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:7.0.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications <= 6.0.0.3", product: { name: "Oracle Utilities Applications <= 6.0.0.3", product_id: "T028755", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:6.0.0.3", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 7.0.0.0", product: { name: "Oracle Utilities Applications 7.0.0.0", product_id: "T028756", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:7.0.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 13.4.1.0.0", product: { name: "Oracle Utilities Applications 13.4.1.0.0", product_id: "T028757", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:13.4.1.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 13.5.1.0.0", product: { name: "Oracle Utilities Applications 13.5.1.0.0", product_id: "T028758", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:13.5.1.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.2.0.3.0", product: { name: "Oracle Utilities Applications 4.2.0.3.0", product_id: "T028759", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.2.0.3.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications <= 4.3.0.6.0", product: { name: "Oracle Utilities Applications <= 4.3.0.6.0", product_id: "T028760", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.3.0.6.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.4.0.0.0", product: { name: "Oracle Utilities Applications 4.4.0.0.0", product_id: "T028761", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.4.0.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.4.0.2.0", product: { name: "Oracle Utilities Applications 4.4.0.2.0", product_id: "T028762", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.4.0.2.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.4.0.3.0", product: { name: "Oracle Utilities Applications 4.4.0.3.0", product_id: "T028763", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.4.0.3.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.5.0.0.0", product: { name: "Oracle Utilities Applications 4.5.0.0.0", product_id: "T028764", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.5.0.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.5.0.1.0", product: { name: "Oracle Utilities Applications 4.5.0.1.0", product_id: "T028765", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.5.0.1.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.5.0.1.1", product: { name: "Oracle Utilities Applications 4.5.0.1.1", product_id: "T028766", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.5.0.1.1", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 2.5.0.1", product: { name: "Oracle Utilities Applications 2.5.0.1", product_id: "T028767", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:2.5.0.1", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 2.6.0.0", product: { name: "Oracle Utilities Applications 2.6.0.0", product_id: "T028768", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:2.6.0.0", }, }, }, ], category: "product_name", name: "Utilities Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-28708", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28708", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-20873", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20873", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20862", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20862", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-48285", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-48285", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-40150", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-40150", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-1471", }, ], }
wid-sec-w-2023-1792
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Policy Automation: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Policy Automation dient der automatisierten Verwaltung und Durchsetzung von Richtlinien.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Policy Automation ausnutzen, um die Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Policy Automation dient der automatisierten Verwaltung und Durchsetzung von Richtlinien.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Policy Automation ausnutzen, um die Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1792 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1792.json", }, { category: "self", summary: "WID-SEC-2023-1792 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1792", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Policy Automation vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixPOLI", }, ], source_lang: "en-US", title: "Oracle Policy Automation: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:46.821+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1792", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Policy Automation < 12.2.30", product: { name: "Oracle Policy Automation < 12.2.30", product_id: "T028722", product_identification_helper: { cpe: "cpe:/a:oracle:policy_automation:12.2.30", }, }, }, { category: "product_name", name: "Oracle Policy Automation < 12.2.31", product: { name: "Oracle Policy Automation < 12.2.31", product_id: "T028723", product_identification_helper: { cpe: "cpe:/a:oracle:policy_automation:12.2.31", }, }, }, ], category: "product_name", name: "Policy Automation", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Policy Automation existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Verfügbarkeit gefährden. Für die Ausnutzung dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Policy Automation existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Verfügbarkeit gefährden. Für die Ausnutzung dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, ], }
WID-SEC-W-2023-1755
Vulnerability from csaf_certbund
Published
2023-07-16 22:00
Modified
2023-07-16 22:00
Summary
IBM InfoSphere Information Server: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.
Angriff
Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM InfoSphere Information Server ist eine Softwareplattform zur Integration heterogener Daten.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in IBM InfoSphere Information Server ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1755 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1755.json", }, { category: "self", summary: "WID-SEC-2023-1755 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1755", }, { category: "external", summary: "IBM Security Bulletin: 7007051 vom 2023-07-16", url: "https://www.ibm.com/support/pages/node/7007051", }, { category: "external", summary: "IBM Security Bulletin: 6988683 vom 2023-07-16", url: "https://www.ibm.com/support/pages/node/6988683", }, { category: "external", summary: "IBM Security Bulletin: 6988679 vom 2023-07-16", url: "https://www.ibm.com/support/pages/node/6988679", }, { category: "external", summary: "IBM Security Bulletin: 6988677 vom 2023-07-16", url: "https://www.ibm.com/support/pages/node/6988677", }, ], source_lang: "en-US", title: "IBM InfoSphere Information Server: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-16T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:36.670+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1755", initial_release_date: "2023-07-16T22:00:00.000+00:00", revision_history: [ { date: "2023-07-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM InfoSphere Information Server 11.7", product: { name: "IBM InfoSphere Information Server 11.7", product_id: "444803", product_identification_helper: { cpe: "cpe:/a:ibm:infosphere_information_server:11.7", }, }, }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2023-2861", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-2861", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-20860", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-20860", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-1108", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2023-1108", }, { cve: "CVE-2022-4492", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-4492", }, { cve: "CVE-2022-41854", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-41854", }, { cve: "CVE-2022-38752", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-38752", }, { cve: "CVE-2022-38751", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-38751", }, { cve: "CVE-2022-38750", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-38750", }, { cve: "CVE-2022-38749", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-38749", }, { cve: "CVE-2022-25857", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-25857", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2022-1259", notes: [ { category: "description", text: "In IBM InfoSphere Information Server existieren mehrere Schwachstellen. Diese sind auf Fehler in den Komponenten \"SnakeYAML\", \"netplex json-smart-v2\", \"VMware Tanzu Spring Framework\" sowie \"undertow\" zurückzuführen. Ein Angreifer kann diese Schwachstelle ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand zu verursachen.", }, ], product_status: { known_affected: [ "444803", ], }, release_date: "2023-07-16T22:00:00.000+00:00", title: "CVE-2022-1259", }, ], }
wid-sec-w-2024-0794
Vulnerability from csaf_certbund
Published
2024-04-04 22:00
Modified
2024-11-27 23:00
Summary
Dell ECS: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Dell ECS ist ein Objektspeichersystem.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Dell ECS ist ein Objektspeichersystem.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0794 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0794.json", }, { category: "self", summary: "WID-SEC-2024-0794 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0794", }, { category: "external", summary: "Dell Security Advisory DSA-2024-141 vom 2024-04-04", url: "https://www.dell.com/support/kbdoc/000223839/dsa-2024-=", }, ], source_lang: "en-US", title: "Dell ECS: Mehrere Schwachstellen", tracking: { current_release_date: "2024-11-27T23:00:00.000+00:00", generator: { date: "2024-11-28T11:39:04.623+00:00", engine: { name: "BSI-WID", version: "1.3.8", }, }, id: "WID-SEC-W-2024-0794", initial_release_date: "2024-04-04T22:00:00.000+00:00", revision_history: [ { date: "2024-04-04T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-11-27T23:00:00.000+00:00", number: "2", summary: "Produktzuordnung überprüft", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "<3.8.1.0", product: { name: "Dell ECS <3.8.1.0", product_id: "T033919", }, }, { category: "product_version", name: "3.8.1.0", product: { name: "Dell ECS 3.8.1.0", product_id: "T033919-fixed", product_identification_helper: { cpe: "cpe:/h:dell:ecs:3.8.1.0", }, }, }, ], category: "product_name", name: "ECS", }, ], category: "vendor", name: "Dell", }, ], }, vulnerabilities: [ { cve: "CVE-2018-18074", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2018-18074", }, { cve: "CVE-2020-10663", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10663", }, { cve: "CVE-2020-10672", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10672", }, { cve: "CVE-2020-10673", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10673", }, { cve: "CVE-2020-10735", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10735", }, { cve: "CVE-2020-10968", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10968", }, { cve: "CVE-2020-10969", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10969", }, { cve: "CVE-2020-11111", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11111", }, { cve: "CVE-2020-11112", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11112", }, { cve: "CVE-2020-11113", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11113", }, { cve: "CVE-2020-11612", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11612", }, { cve: "CVE-2020-11619", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11619", }, { cve: "CVE-2020-11620", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11620", }, { cve: "CVE-2020-11979", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11979", }, { cve: "CVE-2020-12762", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-12762", }, { cve: "CVE-2020-12825", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-12825", }, { cve: "CVE-2020-13956", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-13956", }, { cve: "CVE-2020-14060", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-14060", }, { cve: "CVE-2020-14061", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-14061", }, { cve: "CVE-2020-14062", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-14062", }, { cve: "CVE-2020-14195", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-14195", }, { cve: "CVE-2020-15250", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-15250", }, { cve: "CVE-2020-1945", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-1945", }, { cve: "CVE-2020-1967", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-1967", }, { cve: "CVE-2020-1971", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-1971", }, { cve: "CVE-2020-24616", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-24616", }, { cve: "CVE-2020-24750", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-24750", }, { cve: "CVE-2020-25649", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-25649", }, { cve: "CVE-2020-25658", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-25658", }, { cve: "CVE-2020-26116", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-26116", }, { cve: "CVE-2020-26137", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-26137", }, { cve: "CVE-2020-26541", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-26541", }, { cve: "CVE-2020-27216", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-27216", }, { cve: "CVE-2020-27218", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-27218", }, { cve: "CVE-2020-27223", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-27223", }, { cve: "CVE-2020-28366", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-28366", }, { cve: "CVE-2020-28493", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-28493", }, { cve: "CVE-2020-29509", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-29509", }, { cve: "CVE-2020-29511", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-29511", }, { cve: "CVE-2020-29582", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-29582", }, { cve: "CVE-2020-29651", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-29651", }, { cve: "CVE-2020-35490", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-35490", }, { cve: "CVE-2020-35491", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-35491", }, { cve: "CVE-2020-35728", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-35728", }, { cve: "CVE-2020-36179", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36179", }, { cve: "CVE-2020-36180", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36180", }, { cve: "CVE-2020-36181", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36181", }, { cve: "CVE-2020-36182", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36182", }, { cve: "CVE-2020-36183", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36183", }, { cve: "CVE-2020-36184", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36184", }, { cve: "CVE-2020-36185", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36185", }, { cve: "CVE-2020-36186", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36186", }, { cve: "CVE-2020-36187", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36187", }, { cve: "CVE-2020-36188", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36188", }, { cve: "CVE-2020-36189", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36189", }, { cve: "CVE-2020-36516", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36516", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-36557", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36557", }, { cve: "CVE-2020-36558", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36558", }, { cve: "CVE-2020-36691", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36691", }, { cve: "CVE-2020-7238", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-7238", }, { cve: "CVE-2020-8840", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-8840", }, { cve: "CVE-2020-8908", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-8908", }, { cve: "CVE-2020-8911", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-8911", }, { cve: "CVE-2020-8912", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-8912", }, { cve: "CVE-2020-9488", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9488", }, { cve: "CVE-2020-9493", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9493", }, { cve: "CVE-2020-9546", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9546", }, { cve: "CVE-2020-9547", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9547", }, { cve: "CVE-2020-9548", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9548", }, { cve: "CVE-2021-20190", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-20190", }, { cve: "CVE-2021-20323", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-20323", }, { cve: "CVE-2021-21290", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-21290", }, { cve: "CVE-2021-21295", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-21295", }, { cve: "CVE-2021-21409", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-21409", }, { cve: "CVE-2021-23840", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-23840", }, { cve: "CVE-2021-23841", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-23841", }, { cve: "CVE-2021-2471", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-2471", }, { cve: "CVE-2021-25642", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-25642", }, { cve: "CVE-2021-26341", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-26341", }, { cve: "CVE-2021-27918", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-27918", }, { cve: "CVE-2021-28153", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-28153", }, { cve: "CVE-2021-28165", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-28165", }, { cve: "CVE-2021-28169", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-28169", }, { cve: "CVE-2021-28861", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-28861", }, { cve: "CVE-2021-29425", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-29425", }, { cve: "CVE-2021-30560", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-30560", }, { cve: "CVE-2021-3114", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3114", }, { cve: "CVE-2021-33036", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33036", }, { cve: "CVE-2021-33194", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33194", }, { cve: "CVE-2021-33195", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33195", }, { cve: "CVE-2021-33196", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33196", }, { cve: "CVE-2021-33197", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33197", }, { cve: "CVE-2021-33503", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33503", }, { cve: "CVE-2021-33655", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33655", }, { cve: "CVE-2021-33656", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33656", }, { cve: "CVE-2021-3424", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3424", }, { cve: "CVE-2021-34428", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-34428", }, { cve: "CVE-2021-3449", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3449", }, { cve: "CVE-2021-3450", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3450", }, { cve: "CVE-2021-3530", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3530", }, { cve: "CVE-2021-36221", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-36221", }, { cve: "CVE-2021-36373", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-36373", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-3648", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3648", }, { cve: "CVE-2021-36690", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-36690", }, { cve: "CVE-2021-3711", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3711", }, { cve: "CVE-2021-3712", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3712", }, { cve: "CVE-2021-37136", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-37136", }, { cve: "CVE-2021-37137", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-37137", }, { cve: "CVE-2021-37404", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-37404", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2021-3754", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3754", }, { cve: "CVE-2021-3778", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3778", }, { cve: "CVE-2021-3796", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3796", }, { cve: "CVE-2021-3826", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3826", }, { cve: "CVE-2021-3827", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3827", }, { cve: "CVE-2021-38297", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-38297", }, { cve: "CVE-2021-3872", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3872", }, { cve: "CVE-2021-3875", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3875", }, { cve: "CVE-2021-3903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3903", }, { cve: "CVE-2021-3923", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3923", }, { cve: "CVE-2021-3927", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3927", }, { cve: "CVE-2021-3928", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3928", }, { cve: "CVE-2021-3968", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3968", }, { cve: "CVE-2021-3973", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3973", }, { cve: "CVE-2021-3974", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3974", }, { cve: "CVE-2021-3984", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3984", }, { cve: "CVE-2021-4019", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4019", }, { cve: "CVE-2021-4037", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4037", }, { cve: "CVE-2021-4069", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4069", }, { cve: "CVE-2021-4104", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4104", }, { cve: "CVE-2021-4136", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4136", }, { cve: "CVE-2021-4157", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4157", }, { cve: "CVE-2021-4166", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4166", }, { cve: "CVE-2021-41771", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-41771", }, { cve: "CVE-2021-4192", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4192", }, { cve: "CVE-2021-4193", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4193", }, { cve: "CVE-2021-4203", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4203", }, { cve: "CVE-2021-42567", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-42567", }, { cve: "CVE-2021-43797", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-43797", }, { cve: "CVE-2021-44531", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44531", }, { cve: "CVE-2021-44532", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44532", }, { cve: "CVE-2021-44533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44533", }, { cve: "CVE-2021-44716", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44716", }, { cve: "CVE-2021-44878", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44878", }, { cve: "CVE-2021-45078", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-45078", }, { cve: "CVE-2021-46195", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-46195", }, { cve: "CVE-2021-46828", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-46828", }, { cve: "CVE-2021-46848", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-46848", }, { cve: "CVE-2022-0128", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0128", }, { cve: "CVE-2022-0213", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0213", }, { cve: "CVE-2022-0225", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0225", }, { cve: "CVE-2022-0261", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0261", }, { cve: "CVE-2022-0318", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0318", }, { cve: "CVE-2022-0319", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0319", }, { cve: "CVE-2022-0351", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0351", }, { cve: "CVE-2022-0359", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0359", }, { cve: "CVE-2022-0361", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0361", }, { cve: "CVE-2022-0392", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0392", }, { cve: "CVE-2022-0407", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0407", }, { cve: "CVE-2022-0413", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0413", }, { cve: "CVE-2022-0561", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0561", }, { cve: "CVE-2022-0696", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0696", }, { cve: "CVE-2022-0778", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0778", }, { cve: "CVE-2022-1184", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1184", }, { cve: "CVE-2022-1245", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1245", }, { cve: "CVE-2022-1271", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1271", }, { cve: "CVE-2022-1292", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1292", }, { cve: "CVE-2022-1381", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1381", }, { cve: "CVE-2022-1420", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1420", }, { cve: "CVE-2022-1462", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1462", }, { cve: "CVE-2022-1466", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1466", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2022-1586", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1586", }, { cve: "CVE-2022-1587", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1587", }, { cve: "CVE-2022-1616", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1616", }, { cve: "CVE-2022-1619", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1619", }, { cve: "CVE-2022-1620", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1620", }, { cve: "CVE-2022-1679", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1679", }, { cve: "CVE-2022-1705", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1705", }, { cve: "CVE-2022-1720", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1720", }, { cve: "CVE-2022-1729", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1729", }, { cve: "CVE-2022-1733", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1733", }, { cve: "CVE-2022-1735", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1735", }, { cve: "CVE-2022-1771", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1771", }, { cve: "CVE-2022-1785", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1785", }, { cve: "CVE-2022-1796", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1796", }, { cve: "CVE-2022-1851", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1851", }, { cve: "CVE-2022-1897", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1897", }, { cve: "CVE-2022-1898", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1898", }, { cve: "CVE-2022-1927", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1927", }, { cve: "CVE-2022-1962", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1962", }, { cve: "CVE-2022-1968", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1968", }, { cve: "CVE-2022-1974", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1974", }, { cve: "CVE-2022-1975", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1975", }, { cve: "CVE-2022-20132", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20132", }, { cve: "CVE-2022-20141", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20141", }, { cve: "CVE-2022-20154", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20154", }, { cve: "CVE-2022-20166", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20166", }, { cve: "CVE-2022-20368", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20368", }, { cve: "CVE-2022-20369", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20369", }, { cve: "CVE-2022-2047", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2047", }, { cve: "CVE-2022-2048", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2048", }, { cve: "CVE-2022-20567", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20567", }, { cve: "CVE-2022-2068", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2068", }, { cve: "CVE-2022-2097", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2097", }, { cve: "CVE-2022-21216", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21216", }, { cve: "CVE-2022-21233", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21233", }, { cve: "CVE-2022-2124", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2124", }, { cve: "CVE-2022-2125", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2125", }, { cve: "CVE-2022-2126", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2126", }, { cve: "CVE-2022-2129", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2129", }, { cve: "CVE-2022-21363", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21363", }, { cve: "CVE-2022-21385", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21385", }, { cve: "CVE-2022-21499", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21499", }, { cve: "CVE-2022-2153", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2153", }, { cve: "CVE-2022-21540", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21540", }, { cve: "CVE-2022-21541", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21541", }, { cve: "CVE-2022-21549", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21549", }, { cve: "CVE-2022-21618", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21618", }, { cve: "CVE-2022-21619", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21619", }, { cve: "CVE-2022-21624", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21624", }, { cve: "CVE-2022-21626", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21626", }, { cve: "CVE-2022-21628", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21628", }, { cve: "CVE-2022-21702", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21702", }, { cve: "CVE-2022-2175", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2175", }, { cve: "CVE-2022-2182", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2182", }, { cve: "CVE-2022-2183", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2183", }, { cve: "CVE-2022-2206", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2206", }, { cve: "CVE-2022-2207", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2207", }, { cve: "CVE-2022-2208", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2208", }, { cve: "CVE-2022-2210", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2210", }, { cve: "CVE-2022-2231", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2231", }, { cve: "CVE-2022-2256", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2256", }, { cve: "CVE-2022-2257", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2257", }, { cve: "CVE-2022-2264", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2264", }, { cve: "CVE-2022-2284", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2284", }, { cve: "CVE-2022-2285", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2285", }, { cve: "CVE-2022-2286", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2286", }, { cve: "CVE-2022-2287", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2287", }, { cve: "CVE-2022-22976", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-22976", }, { cve: "CVE-2022-22978", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-22978", }, { cve: "CVE-2022-2304", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2304", }, { cve: "CVE-2022-2318", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2318", }, { cve: "CVE-2022-23302", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23302", }, { cve: "CVE-2022-23305", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23305", }, { cve: "CVE-2022-23307", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23307", }, { cve: "CVE-2022-2343", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2343", }, { cve: "CVE-2022-2344", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2344", }, { cve: "CVE-2022-2345", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2345", }, { cve: "CVE-2022-23471", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23471", }, { cve: "CVE-2022-23521", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23521", }, { cve: "CVE-2022-23772", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23772", }, { cve: "CVE-2022-23773", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23773", }, { cve: "CVE-2022-24302", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-24302", }, { cve: "CVE-2022-24329", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-24329", }, { cve: "CVE-2022-24823", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-24823", }, { cve: "CVE-2022-24903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-24903", }, { cve: "CVE-2022-2503", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2503", }, { cve: "CVE-2022-25147", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-25147", }, { cve: "CVE-2022-25168", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-25168", }, { cve: "CVE-2022-2519", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2519", }, { cve: "CVE-2022-2520", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2520", }, { cve: "CVE-2022-2521", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2521", }, { cve: "CVE-2022-2522", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2522", }, { cve: "CVE-2022-25647", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-25647", }, { cve: "CVE-2022-2571", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2571", }, { cve: "CVE-2022-2580", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2580", }, { cve: "CVE-2022-2581", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2581", }, { cve: "CVE-2022-25857", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-25857", }, { cve: "CVE-2022-2588", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2588", }, { cve: "CVE-2022-2598", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2598", }, { cve: "CVE-2022-26148", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-26148", }, { cve: "CVE-2022-26365", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-26365", }, { cve: "CVE-2022-26373", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-26373", }, { cve: "CVE-2022-2639", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2639", }, { cve: "CVE-2022-26612", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-26612", }, { cve: "CVE-2022-2663", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2663", }, { cve: "CVE-2022-27781", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-27781", }, { cve: "CVE-2022-27782", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-27782", }, { cve: "CVE-2022-27943", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-27943", }, { cve: "CVE-2022-2795", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2795", }, { cve: "CVE-2022-28131", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-28131", }, { cve: "CVE-2022-2816", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2816", }, { cve: "CVE-2022-2817", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2817", }, { cve: "CVE-2022-2819", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2819", }, { cve: "CVE-2022-28327", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-28327", }, { cve: "CVE-2022-2845", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2845", }, { cve: "CVE-2022-2849", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2849", }, { cve: "CVE-2022-2862", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2862", }, { cve: "CVE-2022-2867", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2867", }, { cve: "CVE-2022-2868", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2868", }, { cve: "CVE-2022-2869", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2869", }, { cve: "CVE-2022-28693", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-28693", }, { cve: "CVE-2022-2874", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2874", }, { cve: "CVE-2022-28748", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-28748", }, { cve: "CVE-2022-2880", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2880", }, { cve: "CVE-2022-2889", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2889", }, { cve: "CVE-2022-29162", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29162", }, { cve: "CVE-2022-29187", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29187", }, { cve: "CVE-2022-2923", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2923", }, { cve: "CVE-2022-2946", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2946", }, { cve: "CVE-2022-29526", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29526", }, { cve: "CVE-2022-29583", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29583", }, { cve: "CVE-2022-2964", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2964", }, { cve: "CVE-2022-2977", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2977", }, { cve: "CVE-2022-2980", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2980", }, { cve: "CVE-2022-2982", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2982", }, { cve: "CVE-2022-29900", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29900", }, { cve: "CVE-2022-29901", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29901", }, { cve: "CVE-2022-2991", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2991", }, { cve: "CVE-2022-3016", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3016", }, { cve: "CVE-2022-3028", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3028", }, { cve: "CVE-2022-3037", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3037", }, { cve: "CVE-2022-30580", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30580", }, { cve: "CVE-2022-30630", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30630", }, { cve: "CVE-2022-30631", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30631", }, { cve: "CVE-2022-30632", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30632", }, { cve: "CVE-2022-30633", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30633", }, { cve: "CVE-2022-3099", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3099", }, { cve: "CVE-2022-31030", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-31030", }, { cve: "CVE-2022-31159", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-31159", }, { cve: "CVE-2022-3134", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3134", }, { cve: "CVE-2022-3153", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3153", }, { cve: "CVE-2022-3169", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3169", }, { cve: "CVE-2022-31690", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-31690", }, { cve: "CVE-2022-32148", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32148", }, { cve: "CVE-2022-32149", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32149", }, { cve: "CVE-2022-32206", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32206", }, { cve: "CVE-2022-32208", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32208", }, { cve: "CVE-2022-32221", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32221", }, { cve: "CVE-2022-3234", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3234", }, { cve: "CVE-2022-3235", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3235", }, { cve: "CVE-2022-3239", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3239", }, { cve: "CVE-2022-3278", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3278", }, { cve: "CVE-2022-3296", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3296", }, { cve: "CVE-2022-3297", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3297", }, { cve: "CVE-2022-33196", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33196", }, { cve: "CVE-2022-3324", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3324", }, { cve: "CVE-2022-3352", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3352", }, { cve: "CVE-2022-33740", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33740", }, { cve: "CVE-2022-33741", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33741", }, { cve: "CVE-2022-33742", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33742", }, { cve: "CVE-2022-33972", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33972", }, { cve: "CVE-2022-33981", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33981", }, { cve: "CVE-2022-34169", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-34169", }, { cve: "CVE-2022-3424", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3424", }, { cve: "CVE-2022-34266", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-34266", }, { cve: "CVE-2022-34526", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-34526", }, { cve: "CVE-2022-34903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-34903", }, { cve: "CVE-2022-3491", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3491", }, { cve: "CVE-2022-3515", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3515", }, { cve: "CVE-2022-3520", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3520", }, { cve: "CVE-2022-3521", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3521", }, { cve: "CVE-2022-3524", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3524", }, { cve: "CVE-2022-35252", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-35252", }, { cve: "CVE-2022-3542", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3542", }, { cve: "CVE-2022-3545", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3545", }, { cve: "CVE-2022-3564", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3564", }, { cve: "CVE-2022-3565", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3565", }, { cve: "CVE-2022-3566", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3566", }, { cve: "CVE-2022-3567", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3567", }, { cve: "CVE-2022-35737", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-35737", }, { cve: "CVE-2022-3586", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3586", }, { cve: "CVE-2022-3591", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3591", }, { cve: "CVE-2022-3594", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3594", }, { cve: "CVE-2022-3597", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3597", }, { cve: "CVE-2022-3599", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3599", }, { cve: "CVE-2022-36109", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36109", }, { cve: "CVE-2022-3621", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3621", }, { cve: "CVE-2022-3626", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3626", }, { cve: "CVE-2022-3627", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3627", }, { cve: "CVE-2022-3628", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3628", }, { cve: "CVE-2022-36280", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36280", }, { cve: "CVE-2022-3629", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3629", }, { cve: "CVE-2022-3635", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3635", }, { cve: "CVE-2022-3643", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3643", }, { cve: "CVE-2022-36437", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36437", }, { cve: "CVE-2022-3646", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3646", }, { cve: "CVE-2022-3649", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3649", }, { cve: "CVE-2022-36760", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36760", }, { cve: "CVE-2022-36879", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36879", }, { cve: "CVE-2022-36946", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36946", }, { cve: "CVE-2022-3705", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3705", }, { cve: "CVE-2022-37434", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-37434", }, { cve: "CVE-2022-37436", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-37436", }, { cve: "CVE-2022-37865", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-37865", }, { cve: "CVE-2022-37866", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-37866", }, { cve: "CVE-2022-38090", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38090", }, { cve: "CVE-2022-38096", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38096", }, { cve: "CVE-2022-38126", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38126", }, { cve: "CVE-2022-38127", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38127", }, { cve: "CVE-2022-38177", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38177", }, { cve: "CVE-2022-38178", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38178", }, { cve: "CVE-2022-3821", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3821", }, { cve: "CVE-2022-38533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38533", }, { cve: "CVE-2022-38749", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38749", }, { cve: "CVE-2022-38750", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38750", }, { cve: "CVE-2022-38751", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38751", }, { cve: "CVE-2022-38752", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38752", }, { cve: "CVE-2022-39028", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-39028", }, { cve: "CVE-2022-3903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3903", }, { cve: "CVE-2022-39188", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-39188", }, { cve: "CVE-2022-39399", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-39399", }, { cve: "CVE-2022-3970", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3970", }, { cve: "CVE-2022-40149", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40149", }, { cve: "CVE-2022-40150", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40150", }, { cve: "CVE-2022-40151", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40151", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-40153", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40153", }, { cve: "CVE-2022-40303", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40303", }, { cve: "CVE-2022-40304", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40304", }, { cve: "CVE-2022-40307", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40307", }, { cve: "CVE-2022-40674", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40674", }, { cve: "CVE-2022-40768", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40768", }, { cve: "CVE-2022-40899", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40899", }, { cve: "CVE-2022-4095", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4095", }, { cve: "CVE-2022-41218", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41218", }, { cve: "CVE-2022-4129", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4129", }, { cve: "CVE-2022-4141", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4141", }, { cve: "CVE-2022-41717", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41717", }, { cve: "CVE-2022-41721", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41721", }, { cve: "CVE-2022-41848", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41848", }, { cve: "CVE-2022-41850", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41850", }, { cve: "CVE-2022-41854", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41854", }, { cve: "CVE-2022-41858", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41858", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-41903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41903", }, { cve: "CVE-2022-41915", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41915", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41974", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41974", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-42010", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42010", }, { cve: "CVE-2022-42011", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42011", }, { cve: "CVE-2022-42012", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42012", }, { cve: "CVE-2022-42328", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42328", }, { cve: "CVE-2022-42329", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42329", }, { cve: "CVE-2022-42703", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42703", }, { cve: "CVE-2022-42889", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42889", }, { cve: "CVE-2022-42895", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42895", }, { cve: "CVE-2022-42896", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42896", }, { cve: "CVE-2022-42898", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42898", }, { cve: "CVE-2022-4292", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4292", }, { cve: "CVE-2022-4293", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4293", }, { cve: "CVE-2022-42969", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42969", }, { cve: "CVE-2022-4304", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4304", }, { cve: "CVE-2022-43552", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43552", }, { cve: "CVE-2022-43680", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43680", }, { cve: "CVE-2022-43750", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43750", }, { cve: "CVE-2022-4378", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4378", }, { cve: "CVE-2022-43945", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43945", }, { cve: "CVE-2022-43995", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43995", }, { cve: "CVE-2022-4415", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4415", }, { cve: "CVE-2022-4450", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4450", }, { cve: "CVE-2022-44638", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-44638", }, { cve: "CVE-2022-45061", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45061", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45884", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45884", }, { cve: "CVE-2022-45885", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45885", }, { cve: "CVE-2022-45886", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45886", }, { cve: "CVE-2022-45887", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45887", }, { cve: "CVE-2022-45919", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45919", }, { cve: "CVE-2022-45934", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45934", }, { cve: "CVE-2022-45939", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45939", }, { cve: "CVE-2022-4662", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4662", }, { cve: "CVE-2022-46751", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-46751", }, { cve: "CVE-2022-46908", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-46908", }, { cve: "CVE-2022-47629", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-47629", }, { cve: "CVE-2022-47929", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-47929", }, { cve: "CVE-2022-48281", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-48281", }, { cve: "CVE-2022-48337", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-48337", }, { cve: "CVE-2022-48339", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-48339", }, { cve: "CVE-2023-0045", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0045", }, { cve: "CVE-2023-0049", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0049", }, { cve: "CVE-2023-0051", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0051", }, { cve: "CVE-2023-0054", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0054", }, { cve: "CVE-2023-0215", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0215", }, { cve: "CVE-2023-0286", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0286", }, { cve: "CVE-2023-0288", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0288", }, { cve: "CVE-2023-0433", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0433", }, { cve: "CVE-2023-0464", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0464", }, { cve: "CVE-2023-0465", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0465", }, { cve: "CVE-2023-0466", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0466", }, { cve: "CVE-2023-0512", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0512", }, { cve: "CVE-2023-0590", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0590", }, { cve: "CVE-2023-0597", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0597", }, { cve: "CVE-2023-0833", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0833", }, { cve: "CVE-2023-1076", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1076", }, { cve: "CVE-2023-1095", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1095", }, { cve: "CVE-2023-1118", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1118", }, { cve: "CVE-2023-1127", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1127", }, { cve: "CVE-2023-1170", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1170", }, { cve: "CVE-2023-1175", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1175", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-1380", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1380", }, { cve: "CVE-2023-1390", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1390", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1513", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1513", }, { cve: "CVE-2023-1611", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1611", }, { cve: "CVE-2023-1670", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1670", }, { cve: "CVE-2023-1855", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1855", }, { cve: "CVE-2023-1989", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1989", }, { cve: "CVE-2023-1990", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1990", }, { cve: "CVE-2023-1998", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1998", }, { cve: "CVE-2023-20862", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-20862", }, { cve: "CVE-2023-2124", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2124", }, { cve: "CVE-2023-2162", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2162", }, { cve: "CVE-2023-2176", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2176", }, { cve: "CVE-2023-21830", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21830", }, { cve: "CVE-2023-21835", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21835", }, { cve: "CVE-2023-21843", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21843", }, { cve: "CVE-2023-21930", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21930", }, { cve: "CVE-2023-21937", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21937", }, { cve: "CVE-2023-21938", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21938", }, { cve: "CVE-2023-21939", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21939", }, { cve: "CVE-2023-2194", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2194", }, { cve: "CVE-2023-21954", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21954", }, { cve: "CVE-2023-21967", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21967", }, { cve: "CVE-2023-21968", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21968", }, { cve: "CVE-2023-22490", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-22490", }, { cve: "CVE-2023-2253", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2253", }, { cve: "CVE-2023-22809", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-22809", }, { cve: "CVE-2023-23454", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23454", }, { cve: "CVE-2023-23455", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23455", }, { cve: "CVE-2023-23559", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23559", }, { cve: "CVE-2023-23916", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23916", }, { cve: "CVE-2023-23946", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23946", }, { cve: "CVE-2023-24329", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-24329", }, { cve: "CVE-2023-24532", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-24532", }, { cve: "CVE-2023-24534", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-24534", }, { cve: "CVE-2023-2483", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2483", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-2513", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2513", }, { cve: "CVE-2023-25193", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25193", }, { cve: "CVE-2023-25652", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25652", }, { cve: "CVE-2023-25690", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25690", }, { cve: "CVE-2023-25809", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25809", }, { cve: "CVE-2023-25815", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25815", }, { cve: "CVE-2023-26048", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-26048", }, { cve: "CVE-2023-26049", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-26049", }, { cve: "CVE-2023-2650", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2650", }, { cve: "CVE-2023-26545", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-26545", }, { cve: "CVE-2023-26604", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-26604", }, { cve: "CVE-2023-27533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27533", }, { cve: "CVE-2023-27534", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27534", }, { cve: "CVE-2023-27535", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27535", }, { cve: "CVE-2023-27536", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27536", }, { cve: "CVE-2023-27538", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27538", }, { cve: "CVE-2023-27561", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27561", }, { cve: "CVE-2023-2828", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2828", }, { cve: "CVE-2023-28320", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28320", }, { cve: "CVE-2023-28321", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28321", }, { cve: "CVE-2023-28322", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28322", }, { cve: "CVE-2023-28328", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28328", }, { cve: "CVE-2023-28464", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28464", }, { cve: "CVE-2023-28486", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28486", }, { cve: "CVE-2023-28487", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28487", }, { cve: "CVE-2023-28642", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28642", }, { cve: "CVE-2023-28772", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28772", }, { cve: "CVE-2023-28840", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28840", }, { cve: "CVE-2023-28841", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28841", }, { cve: "CVE-2023-28842", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28842", }, { cve: "CVE-2023-29007", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29007", }, { cve: "CVE-2023-29383", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29383", }, { cve: "CVE-2023-29402", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29402", }, { cve: "CVE-2023-29406", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29406", }, { cve: "CVE-2023-29409", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29409", }, { cve: "CVE-2023-2976", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2976", }, { cve: "CVE-2023-30630", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-30630", }, { cve: "CVE-2023-30772", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-30772", }, { cve: "CVE-2023-31084", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-31084", }, { cve: "CVE-2023-3138", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-3138", }, { cve: "CVE-2023-31436", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-31436", }, { cve: "CVE-2023-31484", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-31484", }, { cve: "CVE-2023-32269", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-32269", }, { cve: "CVE-2023-32697", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-32697", }, { cve: "CVE-2023-33264", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-33264", }, { cve: "CVE-2023-34034", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34034", }, { cve: "CVE-2023-34035", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34035", }, { cve: "CVE-2023-34453", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34453", }, { cve: "CVE-2023-34454", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34454", }, { cve: "CVE-2023-34455", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34455", }, { cve: "CVE-2023-34462", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34462", }, { cve: "CVE-2023-35116", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-35116", }, { cve: "CVE-2023-3635", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-3635", }, { cve: "CVE-2023-36479", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-36479", }, { cve: "CVE-2023-39533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-39533", }, { cve: "CVE-2023-40167", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-40167", }, { cve: "CVE-2023-40217", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-40217", }, { cve: "CVE-2023-41105", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-41105", }, { cve: "CVE-2023-41900", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-41900", }, { cve: "CVE-2023-43642", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-43642", }, { cve: "CVE-2023-43804", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-43804", }, { cve: "CVE-2023-44487", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-44487", }, { cve: "CVE-2023-45803", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-45803", }, { cve: "CVE-2024-21626", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2024-21626", }, ], }
WID-SEC-W-2024-0794
Vulnerability from csaf_certbund
Published
2024-04-04 22:00
Modified
2024-11-27 23:00
Summary
Dell ECS: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Dell ECS ist ein Objektspeichersystem.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Dell ECS ist ein Objektspeichersystem.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in Dell ECS ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0794 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0794.json", }, { category: "self", summary: "WID-SEC-2024-0794 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0794", }, { category: "external", summary: "Dell Security Advisory DSA-2024-141 vom 2024-04-04", url: "https://www.dell.com/support/kbdoc/000223839/dsa-2024-=", }, ], source_lang: "en-US", title: "Dell ECS: Mehrere Schwachstellen", tracking: { current_release_date: "2024-11-27T23:00:00.000+00:00", generator: { date: "2024-11-28T11:39:04.623+00:00", engine: { name: "BSI-WID", version: "1.3.8", }, }, id: "WID-SEC-W-2024-0794", initial_release_date: "2024-04-04T22:00:00.000+00:00", revision_history: [ { date: "2024-04-04T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-11-27T23:00:00.000+00:00", number: "2", summary: "Produktzuordnung überprüft", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "<3.8.1.0", product: { name: "Dell ECS <3.8.1.0", product_id: "T033919", }, }, { category: "product_version", name: "3.8.1.0", product: { name: "Dell ECS 3.8.1.0", product_id: "T033919-fixed", product_identification_helper: { cpe: "cpe:/h:dell:ecs:3.8.1.0", }, }, }, ], category: "product_name", name: "ECS", }, ], category: "vendor", name: "Dell", }, ], }, vulnerabilities: [ { cve: "CVE-2018-18074", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2018-18074", }, { cve: "CVE-2020-10663", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10663", }, { cve: "CVE-2020-10672", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10672", }, { cve: "CVE-2020-10673", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10673", }, { cve: "CVE-2020-10735", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10735", }, { cve: "CVE-2020-10968", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10968", }, { cve: "CVE-2020-10969", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-10969", }, { cve: "CVE-2020-11111", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11111", }, { cve: "CVE-2020-11112", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11112", }, { cve: "CVE-2020-11113", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11113", }, { cve: "CVE-2020-11612", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11612", }, { cve: "CVE-2020-11619", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11619", }, { cve: "CVE-2020-11620", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11620", }, { cve: "CVE-2020-11979", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-11979", }, { cve: "CVE-2020-12762", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-12762", }, { cve: "CVE-2020-12825", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-12825", }, { cve: "CVE-2020-13956", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-13956", }, { cve: "CVE-2020-14060", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-14060", }, { cve: "CVE-2020-14061", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-14061", }, { cve: "CVE-2020-14062", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-14062", }, { cve: "CVE-2020-14195", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-14195", }, { cve: "CVE-2020-15250", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-15250", }, { cve: "CVE-2020-1945", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-1945", }, { cve: "CVE-2020-1967", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-1967", }, { cve: "CVE-2020-1971", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-1971", }, { cve: "CVE-2020-24616", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-24616", }, { cve: "CVE-2020-24750", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-24750", }, { cve: "CVE-2020-25649", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-25649", }, { cve: "CVE-2020-25658", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-25658", }, { cve: "CVE-2020-26116", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-26116", }, { cve: "CVE-2020-26137", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-26137", }, { cve: "CVE-2020-26541", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-26541", }, { cve: "CVE-2020-27216", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-27216", }, { cve: "CVE-2020-27218", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-27218", }, { cve: "CVE-2020-27223", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-27223", }, { cve: "CVE-2020-28366", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-28366", }, { cve: "CVE-2020-28493", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-28493", }, { cve: "CVE-2020-29509", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-29509", }, { cve: "CVE-2020-29511", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-29511", }, { cve: "CVE-2020-29582", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-29582", }, { cve: "CVE-2020-29651", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-29651", }, { cve: "CVE-2020-35490", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-35490", }, { cve: "CVE-2020-35491", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-35491", }, { cve: "CVE-2020-35728", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-35728", }, { cve: "CVE-2020-36179", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36179", }, { cve: "CVE-2020-36180", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36180", }, { cve: "CVE-2020-36181", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36181", }, { cve: "CVE-2020-36182", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36182", }, { cve: "CVE-2020-36183", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36183", }, { cve: "CVE-2020-36184", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36184", }, { cve: "CVE-2020-36185", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36185", }, { cve: "CVE-2020-36186", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36186", }, { cve: "CVE-2020-36187", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36187", }, { cve: "CVE-2020-36188", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36188", }, { cve: "CVE-2020-36189", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36189", }, { cve: "CVE-2020-36516", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36516", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-36557", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36557", }, { cve: "CVE-2020-36558", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36558", }, { cve: "CVE-2020-36691", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-36691", }, { cve: "CVE-2020-7238", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-7238", }, { cve: "CVE-2020-8840", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-8840", }, { cve: "CVE-2020-8908", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-8908", }, { cve: "CVE-2020-8911", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-8911", }, { cve: "CVE-2020-8912", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-8912", }, { cve: "CVE-2020-9488", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9488", }, { cve: "CVE-2020-9493", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9493", }, { cve: "CVE-2020-9546", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9546", }, { cve: "CVE-2020-9547", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9547", }, { cve: "CVE-2020-9548", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2020-9548", }, { cve: "CVE-2021-20190", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-20190", }, { cve: "CVE-2021-20323", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-20323", }, { cve: "CVE-2021-21290", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-21290", }, { cve: "CVE-2021-21295", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-21295", }, { cve: "CVE-2021-21409", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-21409", }, { cve: "CVE-2021-23840", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-23840", }, { cve: "CVE-2021-23841", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-23841", }, { cve: "CVE-2021-2471", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-2471", }, { cve: "CVE-2021-25642", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-25642", }, { cve: "CVE-2021-26341", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-26341", }, { cve: "CVE-2021-27918", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-27918", }, { cve: "CVE-2021-28153", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-28153", }, { cve: "CVE-2021-28165", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-28165", }, { cve: "CVE-2021-28169", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-28169", }, { cve: "CVE-2021-28861", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-28861", }, { cve: "CVE-2021-29425", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-29425", }, { cve: "CVE-2021-30560", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-30560", }, { cve: "CVE-2021-3114", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3114", }, { cve: "CVE-2021-33036", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33036", }, { cve: "CVE-2021-33194", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33194", }, { cve: "CVE-2021-33195", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33195", }, { cve: "CVE-2021-33196", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33196", }, { cve: "CVE-2021-33197", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33197", }, { cve: "CVE-2021-33503", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33503", }, { cve: "CVE-2021-33655", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33655", }, { cve: "CVE-2021-33656", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-33656", }, { cve: "CVE-2021-3424", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3424", }, { cve: "CVE-2021-34428", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-34428", }, { cve: "CVE-2021-3449", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3449", }, { cve: "CVE-2021-3450", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3450", }, { cve: "CVE-2021-3530", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3530", }, { cve: "CVE-2021-36221", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-36221", }, { cve: "CVE-2021-36373", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-36373", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-3648", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3648", }, { cve: "CVE-2021-36690", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-36690", }, { cve: "CVE-2021-3711", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3711", }, { cve: "CVE-2021-3712", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3712", }, { cve: "CVE-2021-37136", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-37136", }, { cve: "CVE-2021-37137", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-37137", }, { cve: "CVE-2021-37404", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-37404", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2021-3754", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3754", }, { cve: "CVE-2021-3778", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3778", }, { cve: "CVE-2021-3796", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3796", }, { cve: "CVE-2021-3826", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3826", }, { cve: "CVE-2021-3827", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3827", }, { cve: "CVE-2021-38297", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-38297", }, { cve: "CVE-2021-3872", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3872", }, { cve: "CVE-2021-3875", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3875", }, { cve: "CVE-2021-3903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3903", }, { cve: "CVE-2021-3923", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3923", }, { cve: "CVE-2021-3927", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3927", }, { cve: "CVE-2021-3928", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3928", }, { cve: "CVE-2021-3968", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3968", }, { cve: "CVE-2021-3973", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3973", }, { cve: "CVE-2021-3974", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3974", }, { cve: "CVE-2021-3984", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-3984", }, { cve: "CVE-2021-4019", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4019", }, { cve: "CVE-2021-4037", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4037", }, { cve: "CVE-2021-4069", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4069", }, { cve: "CVE-2021-4104", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4104", }, { cve: "CVE-2021-4136", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4136", }, { cve: "CVE-2021-4157", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4157", }, { cve: "CVE-2021-4166", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4166", }, { cve: "CVE-2021-41771", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-41771", }, { cve: "CVE-2021-4192", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4192", }, { cve: "CVE-2021-4193", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4193", }, { cve: "CVE-2021-4203", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-4203", }, { cve: "CVE-2021-42567", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-42567", }, { cve: "CVE-2021-43797", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-43797", }, { cve: "CVE-2021-44531", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44531", }, { cve: "CVE-2021-44532", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44532", }, { cve: "CVE-2021-44533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44533", }, { cve: "CVE-2021-44716", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44716", }, { cve: "CVE-2021-44878", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-44878", }, { cve: "CVE-2021-45078", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-45078", }, { cve: "CVE-2021-46195", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-46195", }, { cve: "CVE-2021-46828", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-46828", }, { cve: "CVE-2021-46848", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2021-46848", }, { cve: "CVE-2022-0128", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0128", }, { cve: "CVE-2022-0213", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0213", }, { cve: "CVE-2022-0225", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0225", }, { cve: "CVE-2022-0261", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0261", }, { cve: "CVE-2022-0318", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0318", }, { cve: "CVE-2022-0319", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0319", }, { cve: "CVE-2022-0351", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0351", }, { cve: "CVE-2022-0359", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0359", }, { cve: "CVE-2022-0361", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0361", }, { cve: "CVE-2022-0392", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0392", }, { cve: "CVE-2022-0407", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0407", }, { cve: "CVE-2022-0413", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0413", }, { cve: "CVE-2022-0561", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0561", }, { cve: "CVE-2022-0696", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0696", }, { cve: "CVE-2022-0778", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-0778", }, { cve: "CVE-2022-1184", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1184", }, { cve: "CVE-2022-1245", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1245", }, { cve: "CVE-2022-1271", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1271", }, { cve: "CVE-2022-1292", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1292", }, { cve: "CVE-2022-1381", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1381", }, { cve: "CVE-2022-1420", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1420", }, { cve: "CVE-2022-1462", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1462", }, { cve: "CVE-2022-1466", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1466", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2022-1586", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1586", }, { cve: "CVE-2022-1587", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1587", }, { cve: "CVE-2022-1616", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1616", }, { cve: "CVE-2022-1619", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1619", }, { cve: "CVE-2022-1620", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1620", }, { cve: "CVE-2022-1679", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1679", }, { cve: "CVE-2022-1705", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1705", }, { cve: "CVE-2022-1720", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1720", }, { cve: "CVE-2022-1729", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1729", }, { cve: "CVE-2022-1733", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1733", }, { cve: "CVE-2022-1735", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1735", }, { cve: "CVE-2022-1771", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1771", }, { cve: "CVE-2022-1785", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1785", }, { cve: "CVE-2022-1796", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1796", }, { cve: "CVE-2022-1851", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1851", }, { cve: "CVE-2022-1897", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1897", }, { cve: "CVE-2022-1898", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1898", }, { cve: "CVE-2022-1927", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1927", }, { cve: "CVE-2022-1962", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1962", }, { cve: "CVE-2022-1968", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1968", }, { cve: "CVE-2022-1974", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1974", }, { cve: "CVE-2022-1975", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-1975", }, { cve: "CVE-2022-20132", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20132", }, { cve: "CVE-2022-20141", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20141", }, { cve: "CVE-2022-20154", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20154", }, { cve: "CVE-2022-20166", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20166", }, { cve: "CVE-2022-20368", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20368", }, { cve: "CVE-2022-20369", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20369", }, { cve: "CVE-2022-2047", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2047", }, { cve: "CVE-2022-2048", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2048", }, { cve: "CVE-2022-20567", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-20567", }, { cve: "CVE-2022-2068", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2068", }, { cve: "CVE-2022-2097", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2097", }, { cve: "CVE-2022-21216", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21216", }, { cve: "CVE-2022-21233", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21233", }, { cve: "CVE-2022-2124", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2124", }, { cve: "CVE-2022-2125", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2125", }, { cve: "CVE-2022-2126", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2126", }, { cve: "CVE-2022-2129", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2129", }, { cve: "CVE-2022-21363", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21363", }, { cve: "CVE-2022-21385", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21385", }, { cve: "CVE-2022-21499", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21499", }, { cve: "CVE-2022-2153", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2153", }, { cve: "CVE-2022-21540", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21540", }, { cve: "CVE-2022-21541", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21541", }, { cve: "CVE-2022-21549", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21549", }, { cve: "CVE-2022-21618", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21618", }, { cve: "CVE-2022-21619", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21619", }, { cve: "CVE-2022-21624", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21624", }, { cve: "CVE-2022-21626", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21626", }, { cve: "CVE-2022-21628", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21628", }, { cve: "CVE-2022-21702", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-21702", }, { cve: "CVE-2022-2175", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2175", }, { cve: "CVE-2022-2182", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2182", }, { cve: "CVE-2022-2183", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2183", }, { cve: "CVE-2022-2206", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2206", }, { cve: "CVE-2022-2207", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2207", }, { cve: "CVE-2022-2208", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2208", }, { cve: "CVE-2022-2210", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2210", }, { cve: "CVE-2022-2231", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2231", }, { cve: "CVE-2022-2256", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2256", }, { cve: "CVE-2022-2257", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2257", }, { cve: "CVE-2022-2264", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2264", }, { cve: "CVE-2022-2284", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2284", }, { cve: "CVE-2022-2285", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2285", }, { cve: "CVE-2022-2286", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2286", }, { cve: "CVE-2022-2287", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2287", }, { cve: "CVE-2022-22976", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-22976", }, { cve: "CVE-2022-22978", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-22978", }, { cve: "CVE-2022-2304", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2304", }, { cve: "CVE-2022-2318", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2318", }, { cve: "CVE-2022-23302", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23302", }, { cve: "CVE-2022-23305", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23305", }, { cve: "CVE-2022-23307", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23307", }, { cve: "CVE-2022-2343", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2343", }, { cve: "CVE-2022-2344", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2344", }, { cve: "CVE-2022-2345", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2345", }, { cve: "CVE-2022-23471", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23471", }, { cve: "CVE-2022-23521", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23521", }, { cve: "CVE-2022-23772", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23772", }, { cve: "CVE-2022-23773", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-23773", }, { cve: "CVE-2022-24302", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-24302", }, { cve: "CVE-2022-24329", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-24329", }, { cve: "CVE-2022-24823", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-24823", }, { cve: "CVE-2022-24903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-24903", }, { cve: "CVE-2022-2503", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2503", }, { cve: "CVE-2022-25147", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-25147", }, { cve: "CVE-2022-25168", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-25168", }, { cve: "CVE-2022-2519", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2519", }, { cve: "CVE-2022-2520", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2520", }, { cve: "CVE-2022-2521", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2521", }, { cve: "CVE-2022-2522", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2522", }, { cve: "CVE-2022-25647", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-25647", }, { cve: "CVE-2022-2571", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2571", }, { cve: "CVE-2022-2580", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2580", }, { cve: "CVE-2022-2581", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2581", }, { cve: "CVE-2022-25857", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-25857", }, { cve: "CVE-2022-2588", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2588", }, { cve: "CVE-2022-2598", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2598", }, { cve: "CVE-2022-26148", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-26148", }, { cve: "CVE-2022-26365", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-26365", }, { cve: "CVE-2022-26373", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-26373", }, { cve: "CVE-2022-2639", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2639", }, { cve: "CVE-2022-26612", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-26612", }, { cve: "CVE-2022-2663", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2663", }, { cve: "CVE-2022-27781", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-27781", }, { cve: "CVE-2022-27782", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-27782", }, { cve: "CVE-2022-27943", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-27943", }, { cve: "CVE-2022-2795", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2795", }, { cve: "CVE-2022-28131", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-28131", }, { cve: "CVE-2022-2816", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2816", }, { cve: "CVE-2022-2817", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2817", }, { cve: "CVE-2022-2819", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2819", }, { cve: "CVE-2022-28327", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-28327", }, { cve: "CVE-2022-2845", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2845", }, { cve: "CVE-2022-2849", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2849", }, { cve: "CVE-2022-2862", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2862", }, { cve: "CVE-2022-2867", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2867", }, { cve: "CVE-2022-2868", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2868", }, { cve: "CVE-2022-2869", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2869", }, { cve: "CVE-2022-28693", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-28693", }, { cve: "CVE-2022-2874", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2874", }, { cve: "CVE-2022-28748", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-28748", }, { cve: "CVE-2022-2880", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2880", }, { cve: "CVE-2022-2889", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2889", }, { cve: "CVE-2022-29162", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29162", }, { cve: "CVE-2022-29187", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29187", }, { cve: "CVE-2022-2923", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2923", }, { cve: "CVE-2022-2946", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2946", }, { cve: "CVE-2022-29526", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29526", }, { cve: "CVE-2022-29583", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29583", }, { cve: "CVE-2022-2964", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2964", }, { cve: "CVE-2022-2977", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2977", }, { cve: "CVE-2022-2980", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2980", }, { cve: "CVE-2022-2982", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2982", }, { cve: "CVE-2022-29900", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29900", }, { cve: "CVE-2022-29901", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-29901", }, { cve: "CVE-2022-2991", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-2991", }, { cve: "CVE-2022-3016", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3016", }, { cve: "CVE-2022-3028", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3028", }, { cve: "CVE-2022-3037", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3037", }, { cve: "CVE-2022-30580", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30580", }, { cve: "CVE-2022-30630", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30630", }, { cve: "CVE-2022-30631", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30631", }, { cve: "CVE-2022-30632", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30632", }, { cve: "CVE-2022-30633", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-30633", }, { cve: "CVE-2022-3099", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3099", }, { cve: "CVE-2022-31030", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-31030", }, { cve: "CVE-2022-31159", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-31159", }, { cve: "CVE-2022-3134", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3134", }, { cve: "CVE-2022-3153", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3153", }, { cve: "CVE-2022-3169", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3169", }, { cve: "CVE-2022-31690", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-31690", }, { cve: "CVE-2022-32148", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32148", }, { cve: "CVE-2022-32149", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32149", }, { cve: "CVE-2022-32206", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32206", }, { cve: "CVE-2022-32208", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32208", }, { cve: "CVE-2022-32221", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-32221", }, { cve: "CVE-2022-3234", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3234", }, { cve: "CVE-2022-3235", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3235", }, { cve: "CVE-2022-3239", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3239", }, { cve: "CVE-2022-3278", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3278", }, { cve: "CVE-2022-3296", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3296", }, { cve: "CVE-2022-3297", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3297", }, { cve: "CVE-2022-33196", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33196", }, { cve: "CVE-2022-3324", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3324", }, { cve: "CVE-2022-3352", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3352", }, { cve: "CVE-2022-33740", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33740", }, { cve: "CVE-2022-33741", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33741", }, { cve: "CVE-2022-33742", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33742", }, { cve: "CVE-2022-33972", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33972", }, { cve: "CVE-2022-33981", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-33981", }, { cve: "CVE-2022-34169", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-34169", }, { cve: "CVE-2022-3424", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3424", }, { cve: "CVE-2022-34266", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-34266", }, { cve: "CVE-2022-34526", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-34526", }, { cve: "CVE-2022-34903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-34903", }, { cve: "CVE-2022-3491", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3491", }, { cve: "CVE-2022-3515", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3515", }, { cve: "CVE-2022-3520", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3520", }, { cve: "CVE-2022-3521", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3521", }, { cve: "CVE-2022-3524", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3524", }, { cve: "CVE-2022-35252", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-35252", }, { cve: "CVE-2022-3542", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3542", }, { cve: "CVE-2022-3545", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3545", }, { cve: "CVE-2022-3564", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3564", }, { cve: "CVE-2022-3565", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3565", }, { cve: "CVE-2022-3566", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3566", }, { cve: "CVE-2022-3567", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3567", }, { cve: "CVE-2022-35737", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-35737", }, { cve: "CVE-2022-3586", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3586", }, { cve: "CVE-2022-3591", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3591", }, { cve: "CVE-2022-3594", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3594", }, { cve: "CVE-2022-3597", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3597", }, { cve: "CVE-2022-3599", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3599", }, { cve: "CVE-2022-36109", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36109", }, { cve: "CVE-2022-3621", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3621", }, { cve: "CVE-2022-3626", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3626", }, { cve: "CVE-2022-3627", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3627", }, { cve: "CVE-2022-3628", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3628", }, { cve: "CVE-2022-36280", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36280", }, { cve: "CVE-2022-3629", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3629", }, { cve: "CVE-2022-3635", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3635", }, { cve: "CVE-2022-3643", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3643", }, { cve: "CVE-2022-36437", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36437", }, { cve: "CVE-2022-3646", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3646", }, { cve: "CVE-2022-3649", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3649", }, { cve: "CVE-2022-36760", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36760", }, { cve: "CVE-2022-36879", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36879", }, { cve: "CVE-2022-36946", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-36946", }, { cve: "CVE-2022-3705", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3705", }, { cve: "CVE-2022-37434", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-37434", }, { cve: "CVE-2022-37436", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-37436", }, { cve: "CVE-2022-37865", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-37865", }, { cve: "CVE-2022-37866", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-37866", }, { cve: "CVE-2022-38090", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38090", }, { cve: "CVE-2022-38096", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38096", }, { cve: "CVE-2022-38126", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38126", }, { cve: "CVE-2022-38127", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38127", }, { cve: "CVE-2022-38177", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38177", }, { cve: "CVE-2022-38178", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38178", }, { cve: "CVE-2022-3821", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3821", }, { cve: "CVE-2022-38533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38533", }, { cve: "CVE-2022-38749", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38749", }, { cve: "CVE-2022-38750", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38750", }, { cve: "CVE-2022-38751", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38751", }, { cve: "CVE-2022-38752", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-38752", }, { cve: "CVE-2022-39028", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-39028", }, { cve: "CVE-2022-3903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3903", }, { cve: "CVE-2022-39188", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-39188", }, { cve: "CVE-2022-39399", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-39399", }, { cve: "CVE-2022-3970", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-3970", }, { cve: "CVE-2022-40149", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40149", }, { cve: "CVE-2022-40150", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40150", }, { cve: "CVE-2022-40151", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40151", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-40153", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40153", }, { cve: "CVE-2022-40303", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40303", }, { cve: "CVE-2022-40304", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40304", }, { cve: "CVE-2022-40307", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40307", }, { cve: "CVE-2022-40674", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40674", }, { cve: "CVE-2022-40768", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40768", }, { cve: "CVE-2022-40899", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-40899", }, { cve: "CVE-2022-4095", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4095", }, { cve: "CVE-2022-41218", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41218", }, { cve: "CVE-2022-4129", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4129", }, { cve: "CVE-2022-4141", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4141", }, { cve: "CVE-2022-41717", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41717", }, { cve: "CVE-2022-41721", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41721", }, { cve: "CVE-2022-41848", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41848", }, { cve: "CVE-2022-41850", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41850", }, { cve: "CVE-2022-41854", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41854", }, { cve: "CVE-2022-41858", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41858", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-41903", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41903", }, { cve: "CVE-2022-41915", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41915", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41974", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-41974", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-42010", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42010", }, { cve: "CVE-2022-42011", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42011", }, { cve: "CVE-2022-42012", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42012", }, { cve: "CVE-2022-42328", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42328", }, { cve: "CVE-2022-42329", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42329", }, { cve: "CVE-2022-42703", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42703", }, { cve: "CVE-2022-42889", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42889", }, { cve: "CVE-2022-42895", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42895", }, { cve: "CVE-2022-42896", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42896", }, { cve: "CVE-2022-42898", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42898", }, { cve: "CVE-2022-4292", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4292", }, { cve: "CVE-2022-4293", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4293", }, { cve: "CVE-2022-42969", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-42969", }, { cve: "CVE-2022-4304", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4304", }, { cve: "CVE-2022-43552", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43552", }, { cve: "CVE-2022-43680", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43680", }, { cve: "CVE-2022-43750", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43750", }, { cve: "CVE-2022-4378", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4378", }, { cve: "CVE-2022-43945", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43945", }, { cve: "CVE-2022-43995", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-43995", }, { cve: "CVE-2022-4415", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4415", }, { cve: "CVE-2022-4450", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4450", }, { cve: "CVE-2022-44638", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-44638", }, { cve: "CVE-2022-45061", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45061", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45884", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45884", }, { cve: "CVE-2022-45885", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45885", }, { cve: "CVE-2022-45886", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45886", }, { cve: "CVE-2022-45887", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45887", }, { cve: "CVE-2022-45919", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45919", }, { cve: "CVE-2022-45934", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45934", }, { cve: "CVE-2022-45939", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-45939", }, { cve: "CVE-2022-4662", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-4662", }, { cve: "CVE-2022-46751", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-46751", }, { cve: "CVE-2022-46908", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-46908", }, { cve: "CVE-2022-47629", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-47629", }, { cve: "CVE-2022-47929", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-47929", }, { cve: "CVE-2022-48281", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-48281", }, { cve: "CVE-2022-48337", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-48337", }, { cve: "CVE-2022-48339", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2022-48339", }, { cve: "CVE-2023-0045", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0045", }, { cve: "CVE-2023-0049", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0049", }, { cve: "CVE-2023-0051", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0051", }, { cve: "CVE-2023-0054", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0054", }, { cve: "CVE-2023-0215", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0215", }, { cve: "CVE-2023-0286", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0286", }, { cve: "CVE-2023-0288", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0288", }, { cve: "CVE-2023-0433", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0433", }, { cve: "CVE-2023-0464", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0464", }, { cve: "CVE-2023-0465", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0465", }, { cve: "CVE-2023-0466", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0466", }, { cve: "CVE-2023-0512", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0512", }, { cve: "CVE-2023-0590", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0590", }, { cve: "CVE-2023-0597", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0597", }, { cve: "CVE-2023-0833", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-0833", }, { cve: "CVE-2023-1076", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1076", }, { cve: "CVE-2023-1095", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1095", }, { cve: "CVE-2023-1118", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1118", }, { cve: "CVE-2023-1127", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1127", }, { cve: "CVE-2023-1170", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1170", }, { cve: "CVE-2023-1175", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1175", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-1380", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1380", }, { cve: "CVE-2023-1390", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1390", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1513", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1513", }, { cve: "CVE-2023-1611", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1611", }, { cve: "CVE-2023-1670", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1670", }, { cve: "CVE-2023-1855", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1855", }, { cve: "CVE-2023-1989", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1989", }, { cve: "CVE-2023-1990", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1990", }, { cve: "CVE-2023-1998", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-1998", }, { cve: "CVE-2023-20862", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-20862", }, { cve: "CVE-2023-2124", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2124", }, { cve: "CVE-2023-2162", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2162", }, { cve: "CVE-2023-2176", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2176", }, { cve: "CVE-2023-21830", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21830", }, { cve: "CVE-2023-21835", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21835", }, { cve: "CVE-2023-21843", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21843", }, { cve: "CVE-2023-21930", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21930", }, { cve: "CVE-2023-21937", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21937", }, { cve: "CVE-2023-21938", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21938", }, { cve: "CVE-2023-21939", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21939", }, { cve: "CVE-2023-2194", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2194", }, { cve: "CVE-2023-21954", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21954", }, { cve: "CVE-2023-21967", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21967", }, { cve: "CVE-2023-21968", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-21968", }, { cve: "CVE-2023-22490", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-22490", }, { cve: "CVE-2023-2253", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2253", }, { cve: "CVE-2023-22809", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-22809", }, { cve: "CVE-2023-23454", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23454", }, { cve: "CVE-2023-23455", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23455", }, { cve: "CVE-2023-23559", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23559", }, { cve: "CVE-2023-23916", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23916", }, { cve: "CVE-2023-23946", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-23946", }, { cve: "CVE-2023-24329", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-24329", }, { cve: "CVE-2023-24532", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-24532", }, { cve: "CVE-2023-24534", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-24534", }, { cve: "CVE-2023-2483", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2483", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-2513", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2513", }, { cve: "CVE-2023-25193", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25193", }, { cve: "CVE-2023-25652", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25652", }, { cve: "CVE-2023-25690", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25690", }, { cve: "CVE-2023-25809", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25809", }, { cve: "CVE-2023-25815", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-25815", }, { cve: "CVE-2023-26048", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-26048", }, { cve: "CVE-2023-26049", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-26049", }, { cve: "CVE-2023-2650", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2650", }, { cve: "CVE-2023-26545", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-26545", }, { cve: "CVE-2023-26604", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-26604", }, { cve: "CVE-2023-27533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27533", }, { cve: "CVE-2023-27534", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27534", }, { cve: "CVE-2023-27535", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27535", }, { cve: "CVE-2023-27536", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27536", }, { cve: "CVE-2023-27538", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27538", }, { cve: "CVE-2023-27561", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-27561", }, { cve: "CVE-2023-2828", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2828", }, { cve: "CVE-2023-28320", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28320", }, { cve: "CVE-2023-28321", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28321", }, { cve: "CVE-2023-28322", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28322", }, { cve: "CVE-2023-28328", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28328", }, { cve: "CVE-2023-28464", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28464", }, { cve: "CVE-2023-28486", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28486", }, { cve: "CVE-2023-28487", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28487", }, { cve: "CVE-2023-28642", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28642", }, { cve: "CVE-2023-28772", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28772", }, { cve: "CVE-2023-28840", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28840", }, { cve: "CVE-2023-28841", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28841", }, { cve: "CVE-2023-28842", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-28842", }, { cve: "CVE-2023-29007", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29007", }, { cve: "CVE-2023-29383", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29383", }, { cve: "CVE-2023-29402", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29402", }, { cve: "CVE-2023-29406", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29406", }, { cve: "CVE-2023-29409", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-29409", }, { cve: "CVE-2023-2976", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-2976", }, { cve: "CVE-2023-30630", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-30630", }, { cve: "CVE-2023-30772", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-30772", }, { cve: "CVE-2023-31084", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-31084", }, { cve: "CVE-2023-3138", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-3138", }, { cve: "CVE-2023-31436", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-31436", }, { cve: "CVE-2023-31484", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-31484", }, { cve: "CVE-2023-32269", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-32269", }, { cve: "CVE-2023-32697", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-32697", }, { cve: "CVE-2023-33264", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-33264", }, { cve: "CVE-2023-34034", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34034", }, { cve: "CVE-2023-34035", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34035", }, { cve: "CVE-2023-34453", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34453", }, { cve: "CVE-2023-34454", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34454", }, { cve: "CVE-2023-34455", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34455", }, { cve: "CVE-2023-34462", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-34462", }, { cve: "CVE-2023-35116", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-35116", }, { cve: "CVE-2023-3635", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-3635", }, { cve: "CVE-2023-36479", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-36479", }, { cve: "CVE-2023-39533", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-39533", }, { cve: "CVE-2023-40167", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-40167", }, { cve: "CVE-2023-40217", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-40217", }, { cve: "CVE-2023-41105", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-41105", }, { cve: "CVE-2023-41900", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-41900", }, { cve: "CVE-2023-43642", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-43642", }, { cve: "CVE-2023-43804", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-43804", }, { cve: "CVE-2023-44487", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-44487", }, { cve: "CVE-2023-45803", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2023-45803", }, { cve: "CVE-2024-21626", notes: [ { category: "description", text: "In Dell ECS existieren mehrere Schwachstellen. Diese bestehen in diversen Komponenten von Drittanbietern. Ein Angreifer kann diese Schwachstellen ausnutzen, um seine Privilegien zu erweitern, beliebigen Programmcode mit Administratorrechten auszuführen, Informationen offenzulegen, Dateien zu manipulieren, einen Cross-Site-Scripting-Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service Zustand herbeizuführen.", }, ], product_status: { known_affected: [ "T033919", ], }, release_date: "2024-04-04T22:00:00.000+00:00", title: "CVE-2024-21626", }, ], }
wid-sec-w-2024-0871
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-04-16 22:00
Summary
Oracle Commerce: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Commerce ist eine elektronische Handelsplattform.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Commerce ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Commerce ist eine elektronische Handelsplattform.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Commerce ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0871 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0871.json", }, { category: "self", summary: "WID-SEC-2024-0871 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0871", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Commerce vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixOCOM", }, ], source_lang: "en-US", title: "Oracle Commerce: Mehrere Schwachstellen", tracking: { current_release_date: "2024-04-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:07:40.784+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0871", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "11.3.0", product: { name: "Oracle Commerce 11.3.0", product_id: "T018931", product_identification_helper: { cpe: "cpe:/a:oracle:commerce:11.3.0", }, }, }, { category: "product_version", name: "11.3.1", product: { name: "Oracle Commerce 11.3.1", product_id: "T018932", product_identification_helper: { cpe: "cpe:/a:oracle:commerce:11.3.1", }, }, }, { category: "product_version", name: "11.3.2", product: { name: "Oracle Commerce 11.3.2", product_id: "T018933", product_identification_helper: { cpe: "cpe:/a:oracle:commerce:11.3.2", }, }, }, ], category: "product_name", name: "Commerce", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-46364", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-46364", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-2976", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-2976", }, { cve: "CVE-2023-41080", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-41080", }, { cve: "CVE-2023-5072", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-5072", }, { cve: "CVE-2024-21100", notes: [ { category: "description", text: "In Oracle Commerce existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018931", "T018932", "T018933", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21100", }, ], }
wid-sec-w-2023-1811
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Construction and Engineering: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Construction and Engineering ist eine Sammlung von Werkzeugen zur Unterstützung von Bau- und Ingenieurbüros. Sie umfasst u. a. Projektmanagement-Lösungen zur Verwaltung von Projekte, zur Schaffung von Transparenz, zur Zusammenarbeit und zur Verwaltung von Änderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Construction and Engineering ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Construction and Engineering ist eine Sammlung von Werkzeugen zur Unterstützung von Bau- und Ingenieurbüros. Sie umfasst u. a. Projektmanagement-Lösungen zur Verwaltung von Projekte, zur Schaffung von Transparenz, zur Zusammenarbeit und zur Verwaltung von Änderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Construction and Engineering ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1811 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1811.json", }, { category: "self", summary: "WID-SEC-2023-1811 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1811", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Construction and Engineering vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixPVA", }, ], source_lang: "en-US", title: "Oracle Construction and Engineering: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:52.560+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1811", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Construction and Engineering <= 18.8.15", product: { name: "Oracle Construction and Engineering <= 18.8.15", product_id: "T024984", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:18.8.15", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 18.8.18", product: { name: "Oracle Construction and Engineering <= 18.8.18", product_id: "T027344", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:18.8.18", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 19.12.16", product: { name: "Oracle Construction and Engineering <= 19.12.16", product_id: "T027345", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:19.12.16", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 20.12.16", product: { name: "Oracle Construction and Engineering <= 20.12.16", product_id: "T027346", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:20.12.16", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 20.12.11", product: { name: "Oracle Construction and Engineering <= 20.12.11", product_id: "T028686", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:20.12.11", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 21.12.9", product: { name: "Oracle Construction and Engineering <= 21.12.9", product_id: "T028687", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:21.12.9", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 21.12.15", product: { name: "Oracle Construction and Engineering <= 21.12.15", product_id: "T028688", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:21.12.15", }, }, }, { category: "product_name", name: "Oracle Construction and Engineering <= 22.12.6", product: { name: "Oracle Construction and Engineering <= 22.12.6", product_id: "T028689", product_identification_helper: { cpe: "cpe:/a:oracle:construction_and_engineering:22.12.6", }, }, }, ], category: "product_name", name: "Construction and Engineering", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-48285", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-48285", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Construction and Engineering existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\" und \"Availability\", sowie \"LOW\" für \"Integrity\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL-HOCH\" für die Schadenshöhe.", }, ], product_status: { last_affected: [ "T024984", "T027346", "T028688", "T028689", "T027344", "T028686", "T027345", "T028687", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-37533", }, ], }
WID-SEC-W-2023-1602
Vulnerability from csaf_certbund
Published
2023-06-29 22:00
Modified
2023-10-03 22:00
Summary
Elasticsearch: Schwachstelle ermöglicht Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Elasticsearch ist eine Open Source, verteilte Echtzeit-Suche und Analyse-Engine.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Elasticsearch ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Elasticsearch ist eine Open Source, verteilte Echtzeit-Suche und Analyse-Engine.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Elasticsearch ausnutzen, um einen Denial of Service Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows\n- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1602 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1602.json", }, { category: "self", summary: "WID-SEC-2023-1602 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1602", }, { category: "external", summary: "Hitachi Vulnerability Information HITACHI-SEC-2023-144 vom 2023-10-03", url: "https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2023-144/index.html", }, { category: "external", summary: "Elastic Security Announcement ESA-2023-09 vom 2023-07-18", url: "https://discuss.elastic.co/t/elastic-cloud-enterprise-ece-2-13-3-3-3-0-security-update/338650", }, { category: "external", summary: "Elasticsearch 8.8.2, 7.17.11 Security Update vom 2023-06-29", url: "https://discuss.elastic.co/t/subject-elasticsearch-8-8-2-7-17-11-security-update/337205", }, ], source_lang: "en-US", title: "Elasticsearch: Schwachstelle ermöglicht Denial of Service", tracking: { current_release_date: "2023-10-03T22:00:00.000+00:00", generator: { date: "2024-08-15T17:53:56.255+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1602", initial_release_date: "2023-06-29T22:00:00.000+00:00", revision_history: [ { date: "2023-06-29T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-07-17T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Elastic aufgenommen", }, { date: "2023-08-10T22:00:00.000+00:00", number: "3", summary: "Korrektur Produktzuordnung", }, { date: "2023-10-03T22:00:00.000+00:00", number: "4", summary: "Neue Updates von HITACHI aufgenommen", }, ], status: "final", version: "4", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Hitachi Ops Center < Analyzer 10.9.3-00", product: { name: "Hitachi Ops Center < Analyzer 10.9.3-00", product_id: "T030196", product_identification_helper: { cpe: "cpe:/a:hitachi:ops_center:analyzer_10.9.3-00", }, }, }, { category: "product_name", name: "Hitachi Ops Center < Viewpoint 10.9.3-00", product: { name: "Hitachi Ops Center < Viewpoint 10.9.3-00", product_id: "T030197", product_identification_helper: { cpe: "cpe:/a:hitachi:ops_center:viewpoint_10.9.3-00", }, }, }, ], category: "product_name", name: "Ops Center", }, ], category: "vendor", name: "Hitachi", }, { branches: [ { branches: [ { category: "product_name", name: "Open Source Elasticsearch < 8.8.2", product: { name: "Open Source Elasticsearch < 8.8.2", product_id: "T028370", product_identification_helper: { cpe: "cpe:/a:elasticsearch:elasticsearch:8.8.2", }, }, }, { category: "product_name", name: "Open Source Elasticsearch < 7.17.11", product: { name: "Open Source Elasticsearch < 7.17.11", product_id: "T028371", product_identification_helper: { cpe: "cpe:/a:elasticsearch:elasticsearch:7.17.11", }, }, }, ], category: "product_name", name: "Elasticsearch", }, ], category: "vendor", name: "Open Source", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es existiert eine Schwachstelle in Elasticsearch. Diese besteht aufgrund der Verwendung einer transitiven Abhängigkeit zu \"json-smart\", die verschachtelte Arrays auf unsichere Weise parst. Es sind nur Nutzer betroffen, die mindestens einen OpenID Connect-Authentifizierungsbereich oder mindestens einen JWT-Authentifizierungsbereich konfiguriert haben. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial of Service zu verursachen.", }, ], product_status: { known_affected: [ "T030196", "T030197", ], }, release_date: "2023-06-29T22:00:00.000+00:00", title: "CVE-2023-1370", }, ], }
wid-sec-w-2024-0888
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-04-16 22:00
Summary
Oracle Systems: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Systems umfasst eine Sammlung von Hardware, Betriebssystemen, Servern und Anwendungen.
Angriff
Ein Angreifer kann mehrere Schwachstellen in Oracle Systems ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Systems umfasst eine Sammlung von Hardware, Betriebssystemen, Servern und Anwendungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in Oracle Systems ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0888 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0888.json", }, { category: "self", summary: "WID-SEC-2024-0888 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0888", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Systems vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixSUNS", }, ], source_lang: "en-US", title: "Oracle Systems: Mehrere Schwachstellen", tracking: { current_release_date: "2024-04-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:07:45.335+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0888", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "8.8", product: { name: "Oracle Systems 8.8", product_id: "T019057", product_identification_helper: { cpe: "cpe:/a:oracle:systems:8.8", }, }, }, { category: "product_version", name: "11", product: { name: "Oracle Systems 11", product_id: "T019059", product_identification_helper: { cpe: "cpe:/a:oracle:systems:11", }, }, }, { category: "product_version", name: "4", product: { name: "Oracle Systems 4", product_id: "T022889", product_identification_helper: { cpe: "cpe:/a:oracle:systems:4", }, }, }, { category: "product_version", name: "2.5", product: { name: "Oracle Systems 2.5", product_id: "T034196", product_identification_helper: { cpe: "cpe:/a:oracle:systems:2.5", }, }, }, ], category: "product_name", name: "Systems", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2020-35168", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2020-35168", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2022-24839", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-24839", }, { cve: "CVE-2022-34381", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-34381", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-42920", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42920", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2024-20999", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-20999", }, { cve: "CVE-2024-21059", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21059", }, { cve: "CVE-2024-21104", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21104", }, { cve: "CVE-2024-21105", notes: [ { category: "description", text: "In Oracle Systems existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T019059", "T022889", "T034196", "T019057", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21105", }, ], }
wid-sec-w-2024-0124
Vulnerability from csaf_certbund
Published
2024-01-16 23:00
Modified
2024-01-16 23:00
Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0124 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0124.json", }, { category: "self", summary: "WID-SEC-2024-0124 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0124", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - January 2024 - Appendix Oracle Financial Services Applications vom 2024-01-16", url: "https://www.oracle.com/security-alerts/cpujan2024.html#AppendixIFLX", }, ], source_lang: "en-US", title: "Oracle Financial Services Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2024-01-16T23:00:00.000+00:00", generator: { date: "2024-08-15T18:03:50.294+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0124", initial_release_date: "2024-01-16T23:00:00.000+00:00", revision_history: [ { date: "2024-01-16T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Financial Services Applications 2.7.1", product: { name: "Oracle Financial Services Applications 2.7.1", product_id: "T018979", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.7.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.8.0", product: { name: "Oracle Financial Services Applications 2.8.0", product_id: "T018980", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.8.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.9.0", product: { name: "Oracle Financial Services Applications 2.9.0", product_id: "T018981", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.9.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.0", product: { name: "Oracle Financial Services Applications 8.1.0", product_id: "T018983", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.9", product: { name: "Oracle Financial Services Applications 8.0.9", product_id: "T019890", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.9", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.1", product: { name: "Oracle Financial Services Applications 8.1.1", product_id: "T019891", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.7", product: { name: "Oracle Financial Services Applications 8.0.7", product_id: "T021676", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8", product: { name: "Oracle Financial Services Applications 8.0.8", product_id: "T021677", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.1.1", product: { name: "Oracle Financial Services Applications 8.1.1.1", product_id: "T022835", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8.1", product: { name: "Oracle Financial Services Applications 8.0.8.1", product_id: "T022844", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8.2", product: { name: "Oracle Financial Services Applications 8.0.8.2", product_id: "T024990", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.9.1", product: { name: "Oracle Financial Services Applications 2.9.1", product_id: "T027359", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.9.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2", product: { name: "Oracle Financial Services Applications 8.1.2", product_id: "T028705", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.5", product: { name: "Oracle Financial Services Applications 8.1.2.5", product_id: "T028706", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.5", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.7.0", product: { name: "Oracle Financial Services Applications <= 14.7.0", product_id: "T028707", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.1.0", product: { name: "Oracle Financial Services Applications 22.1.0", product_id: "T032101", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.2.0", product: { name: "Oracle Financial Services Applications 22.2.0", product_id: "T032102", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.2.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 21.1.0", product: { name: "Oracle Financial Services Applications 21.1.0", product_id: "T032103", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:21.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.6", product: { name: "Oracle Financial Services Applications 8.1.2.6", product_id: "T032104", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.6", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.1.0", product: { name: "Oracle Financial Services Applications 19.1.0", product_id: "T032105", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 5.0.0", product: { name: "Oracle Financial Services Applications 5.0.0", product_id: "T032106", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:5.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 5.1.0", product: { name: "Oracle Financial Services Applications 5.1.0", product_id: "T032107", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:5.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 3.2.0", product: { name: "Oracle Financial Services Applications <= 3.2.0", product_id: "T032108", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:3.2.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 4.0.0", product: { name: "Oracle Financial Services Applications 4.0.0", product_id: "T032109", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:4.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 6.0.0", product: { name: "Oracle Financial Services Applications 6.0.0", product_id: "T032110", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:6.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0.3.0", product: { name: "Oracle Financial Services Applications 14.7.0.3.0", product_id: "T032111", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.3.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 3.0.0", product: { name: "Oracle Financial Services Applications 3.0.0", product_id: "T032112", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:3.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 3.1.0", product: { name: "Oracle Financial Services Applications 3.1.0", product_id: "T032113", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:3.1.0", }, }, }, ], category: "product_name", name: "Financial Services Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-5072", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-5072", }, { cve: "CVE-2023-46604", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-46604", }, { cve: "CVE-2023-44483", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-44483", }, { cve: "CVE-2023-42503", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-42503", }, { cve: "CVE-2023-34034", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-34034", }, { cve: "CVE-2023-33201", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-33201", }, { cve: "CVE-2023-2976", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-2976", }, { cve: "CVE-2023-2618", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-2618", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-21901", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-21901", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-44729", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-44729", }, { cve: "CVE-2022-42920", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-42920", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-36944", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-36944", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-34169", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-34169", }, { cve: "CVE-2022-31692", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-31692", }, { cve: "CVE-2022-31160", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-31160", }, { cve: "CVE-2022-25147", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-25147", }, { cve: "CVE-2022-22979", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-22979", }, { cve: "CVE-2022-22969", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2022-22969", }, { cve: "CVE-2020-5410", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2020-5410", }, { cve: "CVE-2020-15250", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T032105", "T032102", "T032103", "T032109", "T032106", "T032107", "T019890", "T019891", "T032101", "T018980", "T018981", "T021677", "T022844", "T018983", "T021676", "T028705", "T028706", "T027359", "T032113", "T032111", "T032112", "T032110", "T022835", "T018979", "T024990", ], last_affected: [ "T028707", "T032108", ], }, release_date: "2024-01-16T23:00:00.000+00:00", title: "CVE-2020-15250", }, ], }
WID-SEC-W-2023-1022
Vulnerability from csaf_certbund
Published
2023-04-18 22:00
Modified
2023-04-18 22:00
Summary
Oracle Communications Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Communications Applications umfasst eine Sammlung von Werkzeugen zur Verwaltung von Messaging-, Kommunikationsdiensten und -ressourcen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1022 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1022.json", }, { category: "self", summary: "WID-SEC-2023-1022 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1022", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2023 - Appendix Oracle Communications Applications vom 2023-04-18", url: "https://www.oracle.com/security-alerts/cpuapr2023.html#AppendixCAGBU", }, ], source_lang: "en-US", title: "Oracle Communications Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-04-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:49:25.156+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1022", initial_release_date: "2023-04-18T22:00:00.000+00:00", revision_history: [ { date: "2023-04-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Communications Applications 7.4.0", product: { name: "Oracle Communications Applications 7.4.0", product_id: "T018938", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:7.4.0", }, }, }, { category: "product_name", name: "Oracle Communications Applications 7.4.1", product: { name: "Oracle Communications Applications 7.4.1", product_id: "T018939", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:7.4.1", }, }, }, { category: "product_name", name: "Oracle Communications Applications 7.4.2", product: { name: "Oracle Communications Applications 7.4.2", product_id: "T018940", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:7.4.2", }, }, }, { category: "product_name", name: "Oracle Communications Applications 6.0.1.0.0", product: { name: "Oracle Communications Applications 6.0.1.0.0", product_id: "T021634", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:6.0.1.0.0", }, }, }, { category: "product_name", name: "Oracle Communications Applications 7.5.0", product: { name: "Oracle Communications Applications 7.5.0", product_id: "T021639", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:7.5.0", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 5.5.9", product: { name: "Oracle Communications Applications <= 5.5.9", product_id: "T025857", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:5.5.9", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 6.0.1", product: { name: "Oracle Communications Applications <= 6.0.1", product_id: "T025858", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:6.0.1", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 5.5.10", product: { name: "Oracle Communications Applications <= 5.5.10", product_id: "T027322", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:5.5.10", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 6.0.2", product: { name: "Oracle Communications Applications <= 6.0.2", product_id: "T027323", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:6.0.2", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 12.0.6", product: { name: "Oracle Communications Applications <= 12.0.6", product_id: "T027324", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:12.0.6", }, }, }, { category: "product_name", name: "Oracle Communications Applications <= 12.0.6.0.0", product: { name: "Oracle Communications Applications <= 12.0.6.0.0", product_id: "T027325", product_identification_helper: { cpe: "cpe:/a:oracle:communications_applications:12.0.6.0.0", }, }, }, ], category: "product_name", name: "Communications Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-0662", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2023-0662", }, { cve: "CVE-2022-46908", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-46908", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-39271", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-39271", }, { cve: "CVE-2022-36760", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-36760", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-31123", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-31123", }, { cve: "CVE-2022-31081", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-31081", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2021-41183", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2021-41183", }, { cve: "CVE-2020-7009", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-7009", }, { cve: "CVE-2020-35168", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2020-35168", }, { cve: "CVE-2019-11287", notes: [ { category: "description", text: "In Oracle Communications Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018940", "T021634", "T021639", "T018938", "T018939", ], last_affected: [ "T025858", "T025857", "T027324", "T027325", "T027322", "T027323", ], }, release_date: "2023-04-18T22:00:00.000+00:00", title: "CVE-2019-11287", }, ], }
WID-SEC-W-2024-0874
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-04-16 22:00
Summary
Oracle Enterprise Manager: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle für Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Enterprise Manager (OEM) ist ein Set von System Management Werkzeugen von Oracle für Oracle Umgebungen. Es beinhaltet Werkzeuge zum Monitoring von Oracle Umgebung und zur Automatisierung von Datenbank- und Applikations Administration.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Enterprise Manager ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0874 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0874.json", }, { category: "self", summary: "WID-SEC-2024-0874 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0874", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Enterprise Manager vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixEM", }, ], source_lang: "en-US", title: "Oracle Enterprise Manager: Mehrere Schwachstellen", tracking: { current_release_date: "2024-04-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:07:41.950+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0874", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "13.3.0.1", product: { name: "Oracle Enterprise Manager 13.3.0.1", product_id: "T018974", product_identification_helper: { cpe: "cpe:/a:oracle:enterprise_manager:13.3.0.1", }, }, }, { category: "product_version", name: "13.5.0.0", product: { name: "Oracle Enterprise Manager 13.5.0.0", product_id: "T020692", product_identification_helper: { cpe: "cpe:/a:oracle:enterprise_manager:13.5.0.0", }, }, }, ], category: "product_name", name: "Enterprise Manager", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2021-36770", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2021-36770", }, { cve: "CVE-2022-34381", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-34381", }, { cve: "CVE-2022-42920", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-42920", }, { cve: "CVE-2022-46337", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-46337", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-42503", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-42503", }, { cve: "CVE-2023-44487", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-44487", }, { cve: "CVE-2023-48795", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-48795", }, { cve: "CVE-2024-21067", notes: [ { category: "description", text: "In Oracle Enterprise Manager existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T018974", "T020692", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21067", }, ], }
wid-sec-w-2023-1142
Vulnerability from csaf_certbund
Published
2023-05-03 22:00
Modified
2024-02-28 23:00
Summary
Red Hat Integration Camel for Spring Boot: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Integration Camel for Spring Boot ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Red Hat Enterprise Linux (RHEL) ist eine populäre Linux-Distribution.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat Integration Camel for Spring Boot ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1142 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1142.json", }, { category: "self", summary: "WID-SEC-2023-1142 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1142", }, { category: "external", summary: "RedHat Security Advisory vom 2023-05-03", url: "https://access.redhat.com/errata/RHSA-2023:2100", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3179 vom 2023-05-17", url: "https://access.redhat.com/errata/RHSA-2023:3179", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3193 vom 2023-05-17", url: "https://access.redhat.com/errata/RHSA-2023:3193", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3622 vom 2023-06-15", url: "https://access.redhat.com/errata/RHSA-2023:3622", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3667 vom 2023-06-19", url: "https://access.redhat.com/errata/RHSA-2023:3667", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3626 vom 2023-06-23", url: "https://access.redhat.com/errata/RHSA-2023:3626", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3625 vom 2023-06-23", url: "https://access.redhat.com/errata/RHSA-2023:3625", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3906 vom 2023-06-28", url: "https://access.redhat.com/errata/RHSA-2023:3906", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:3954 vom 2023-06-29", url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS2-2023-2165 vom 2023-07-26", url: "https://alas.aws.amazon.com/AL2/ALAS-2023-2165.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4506 vom 2023-08-07", url: "https://access.redhat.com/errata/RHSA-2023:4506", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4507 vom 2023-08-07", url: "https://access.redhat.com/errata/RHSA-2023:4507", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4505 vom 2023-08-07", url: "https://access.redhat.com/errata/RHSA-2023:4505", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4509 vom 2023-08-07", url: "https://access.redhat.com/errata/RHSA-2023:4509", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4612 vom 2023-08-16", url: "https://access.redhat.com/errata/RHSA-2023:4612", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4919 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4919", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4921 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4921", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4924 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4924", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4918 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4918", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:4920 vom 2023-08-31", url: "https://access.redhat.com/errata/RHSA-2023:4920", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2023:7670 vom 2023-12-06", url: "https://access.redhat.com/errata/RHSA-2023:7670", }, { category: "external", summary: "Dell Security Advisory DSA-2023-300 vom 2023-12-22", url: "https://www.dell.com/support/kbdoc/000220649/dsa-2023-=", }, { category: "external", summary: "Dell Security Advisory DSA-2023-409 vom 2023-12-23", url: "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2024-1910 vom 2024-01-23", url: "https://alas.aws.amazon.com/ALAS-2024-1910.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:1027 vom 2024-02-28", url: "https://access.redhat.com/errata/RHSA-2024:1027", }, ], source_lang: "en-US", title: "Red Hat Integration Camel for Spring Boot: Mehrere Schwachstellen", tracking: { current_release_date: "2024-02-28T23:00:00.000+00:00", generator: { date: "2024-08-15T17:50:22.698+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1142", initial_release_date: "2023-05-03T22:00:00.000+00:00", revision_history: [ { date: "2023-05-03T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-05-18T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-15T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-19T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-25T22:00:00.000+00:00", number: "5", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-28T22:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-06-29T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-07-25T22:00:00.000+00:00", number: "8", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2023-08-07T22:00:00.000+00:00", number: "9", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-08-16T22:00:00.000+00:00", number: "10", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-08-31T22:00:00.000+00:00", number: "11", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-12-06T23:00:00.000+00:00", number: "12", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2023-12-21T23:00:00.000+00:00", number: "13", summary: "Neue Updates von Dell aufgenommen", }, { date: "2023-12-26T23:00:00.000+00:00", number: "14", summary: "Neue Updates von Dell aufgenommen", }, { date: "2024-01-22T23:00:00.000+00:00", number: "15", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2024-02-28T23:00:00.000+00:00", number: "16", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "16", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { category: "product_name", name: "Dell NetWorker", product: { name: "Dell NetWorker", product_id: "T024663", product_identification_helper: { cpe: "cpe:/a:dell:networker:-", }, }, }, ], category: "vendor", name: "Dell", }, { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, { category: "product_version_range", name: "Integration Camel for Spring Boot < 3.20.1", product: { name: "Red Hat Enterprise Linux Integration Camel for Spring Boot < 3.20.1", product_id: "T027614", }, }, ], category: "product_name", name: "Enterprise Linux", }, { branches: [ { category: "product_version", name: "Camel Extensions for Quarkus 1", product: { name: "Red Hat Integration Camel Extensions for Quarkus 1", product_id: "T026453", product_identification_helper: { cpe: "cpe:/a:redhat:integration:camel_extensions_for_quarkus_1", }, }, }, ], category: "product_name", name: "Integration", }, { branches: [ { category: "product_version_range", name: "Container Platform < 4.10.62", product: { name: "Red Hat OpenShift Container Platform < 4.10.62", product_id: "T028308", }, }, { category: "product_version", name: "Application Runtimes", product: { name: "Red Hat OpenShift Application Runtimes", product_id: "T029341", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:application_runtimes", }, }, }, ], category: "product_name", name: "OpenShift", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-22602", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-22602", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-20860", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-20860", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-4492", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-4492", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-41854", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41854", }, { cve: "CVE-2022-41853", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41853", }, { cve: "CVE-2022-41852", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41852", }, { cve: "CVE-2022-41704", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-41704", }, { cve: "CVE-2022-40156", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40156", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-40151", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40151", }, { cve: "CVE-2022-40150", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40150", }, { cve: "CVE-2022-40146", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-40146", }, { cve: "CVE-2022-39368", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-39368", }, { cve: "CVE-2022-38752", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38752", }, { cve: "CVE-2022-38751", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38751", }, { cve: "CVE-2022-38750", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38750", }, { cve: "CVE-2022-38749", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38749", }, { cve: "CVE-2022-38648", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38648", }, { cve: "CVE-2022-38398", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-38398", }, { cve: "CVE-2022-37866", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-37866", }, { cve: "CVE-2022-37865", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-37865", }, { cve: "CVE-2022-33681", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-33681", }, { cve: "CVE-2022-31777", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-31777", }, { cve: "CVE-2022-25857", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2022-25857", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In der Red Hat Integration Camel for Spring Boot existieren mehrere Schwachstellen in unterschiedlichen Komponenten. Ein Angreifer kann diese Schwachstellen ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität zu gefährden. Zur Ausnutzung einiger dieser Schwachstellen ist eine Anmeldung oder Nutzerinteraktion nötig.", }, ], product_status: { known_affected: [ "T029341", "67646", "T027614", "T028308", "T024663", "398363", "T026453", ], }, release_date: "2023-05-03T22:00:00.000+00:00", title: "CVE-2021-37533", }, ], }
WID-SEC-W-2023-1792
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Policy Automation: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Policy Automation dient der automatisierten Verwaltung und Durchsetzung von Richtlinien.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Policy Automation ausnutzen, um die Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Policy Automation dient der automatisierten Verwaltung und Durchsetzung von Richtlinien.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Policy Automation ausnutzen, um die Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1792 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1792.json", }, { category: "self", summary: "WID-SEC-2023-1792 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1792", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Policy Automation vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixPOLI", }, ], source_lang: "en-US", title: "Oracle Policy Automation: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:46.821+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1792", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Policy Automation < 12.2.30", product: { name: "Oracle Policy Automation < 12.2.30", product_id: "T028722", product_identification_helper: { cpe: "cpe:/a:oracle:policy_automation:12.2.30", }, }, }, { category: "product_name", name: "Oracle Policy Automation < 12.2.31", product: { name: "Oracle Policy Automation < 12.2.31", product_id: "T028723", product_identification_helper: { cpe: "cpe:/a:oracle:policy_automation:12.2.31", }, }, }, ], category: "product_name", name: "Policy Automation", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Policy Automation existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Verfügbarkeit gefährden. Für die Ausnutzung dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Policy Automation existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Verfügbarkeit gefährden. Für die Ausnutzung dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"MITTEL\" für die Schadenshöhe.", }, ], release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, ], }
WID-SEC-W-2023-1808
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1808 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1808.json", }, { category: "self", summary: "WID-SEC-2023-1808 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1808", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Financial Services Applications vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixIFLX", }, ], source_lang: "en-US", title: "Oracle Financial Services Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:51.752+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1808", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Financial Services Applications 8.1.0", product: { name: "Oracle Financial Services Applications 8.1.0", product_id: "T018983", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.3", product: { name: "Oracle Financial Services Applications <= 14.3", product_id: "T019887", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.1", product: { name: "Oracle Financial Services Applications 8.1.1", product_id: "T019891", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.7", product: { name: "Oracle Financial Services Applications 8.0.7", product_id: "T021676", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8", product: { name: "Oracle Financial Services Applications 8.0.8", product_id: "T021677", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.1.1", product: { name: "Oracle Financial Services Applications 8.1.1.1", product_id: "T022835", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8.1", product: { name: "Oracle Financial Services Applications 8.0.8.1", product_id: "T022844", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.0.8.2", product: { name: "Oracle Financial Services Applications 8.0.8.2", product_id: "T024990", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.7", product: { name: "Oracle Financial Services Applications <= 14.7", product_id: "T027348", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.4", product: { name: "Oracle Financial Services Applications 8.1.2.4", product_id: "T027351", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.4", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.6", product: { name: "Oracle Financial Services Applications 14.6", product_id: "T027355", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.6", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 18.2.0.0.0", product: { name: "Oracle Financial Services Applications 18.2.0.0.0", product_id: "T028691", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:18.2.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 18.3.0.0.0", product: { name: "Oracle Financial Services Applications 18.3.0.0.0", product_id: "T028692", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:18.3.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.1.0.0.0", product: { name: "Oracle Financial Services Applications 19.1.0.0.0", product_id: "T028693", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.1.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.2.0.0.0", product: { name: "Oracle Financial Services Applications 19.2.0.0.0", product_id: "T028694", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.2.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 21.1.0.0.0", product: { name: "Oracle Financial Services Applications 21.1.0.0.0", product_id: "T028695", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:21.1.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.1.0.0.0", product: { name: "Oracle Financial Services Applications 22.1.0.0.0", product_id: "T028696", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.1.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.2.0.0.0", product: { name: "Oracle Financial Services Applications 22.2.0.0.0", product_id: "T028697", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.2.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0.2.0", product: { name: "Oracle Financial Services Applications 14.7.0.2.0", product_id: "T028698", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.2.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.1.0.0", product: { name: "Oracle Financial Services Applications 14.7.1.0.0", product_id: "T028699", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.1.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.5.0.8.0", product: { name: "Oracle Financial Services Applications 14.5.0.8.0", product_id: "T028700", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.5.0.8.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.6.0.4.0", product: { name: "Oracle Financial Services Applications 14.6.0.4.0", product_id: "T028701", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.6.0.4.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0.0.0", product: { name: "Oracle Financial Services Applications 14.7.0.0.0", product_id: "T028702", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.0.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.6.0.3.0", product: { name: "Oracle Financial Services Applications 14.6.0.3.0", product_id: "T028703", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.6.0.3.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0.1.0", product: { name: "Oracle Financial Services Applications 14.7.0.1.0", product_id: "T028704", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.1.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2", product: { name: "Oracle Financial Services Applications 8.1.2", product_id: "T028705", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.5", product: { name: "Oracle Financial Services Applications 8.1.2.5", product_id: "T028706", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.5", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 14.7.0", product: { name: "Oracle Financial Services Applications 14.7.0", product_id: "T028707", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0", }, }, }, ], category: "product_name", name: "Financial Services Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-28708", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28708", }, { cve: "CVE-2023-28439", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28439", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-48285", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-48285", }, { cve: "CVE-2022-46364", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-46364", }, { cve: "CVE-2022-45693", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45693", }, { cve: "CVE-2022-45199", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45199", }, { cve: "CVE-2022-45143", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45143", }, { cve: "CVE-2022-45047", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45047", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-33879", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-33879", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-31692", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-31692", }, { cve: "CVE-2022-31129", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-31129", }, { cve: "CVE-2022-2048", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-2048", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2020-13936", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T019891", "T021677", "T022844", "T018983", "T021676", "T028707", "T028705", "T028706", "T028703", "T028704", "T028701", "T028702", "T028700", "T027355", "T028693", "T028694", "T028691", "T028692", "T022835", "T028699", "T028697", "T028698", "T028695", "T024990", "T028696", ], last_affected: [ "T019887", "T027348", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-13936", }, ], }
wid-sec-w-2023-1782
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-18 22:00
Summary
Oracle Utilities Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Utilities Applications ist eine Produktfamilie mit branchenspezifischen Lösungen für Ver- und Entsorger.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Utilities Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
- Sonstiges
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Utilities Applications ist eine Produktfamilie mit branchenspezifischen Lösungen für Ver- und Entsorger.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Utilities Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows\n- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1782 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1782.json", }, { category: "self", summary: "WID-SEC-2023-1782 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1782", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Utilities Applications vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixUTIL", }, ], source_lang: "en-US", title: "Oracle Utilities Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-18T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:44.342+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1782", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Utilities Applications 2.5.0.2", product: { name: "Oracle Utilities Applications 2.5.0.2", product_id: "T028753", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:2.5.0.2", }, }, }, { category: "product_name", name: "Oracle Utilities Applications <= 7.0.0.0", product: { name: "Oracle Utilities Applications <= 7.0.0.0", product_id: "T028754", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:7.0.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications <= 6.0.0.3", product: { name: "Oracle Utilities Applications <= 6.0.0.3", product_id: "T028755", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:6.0.0.3", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 7.0.0.0", product: { name: "Oracle Utilities Applications 7.0.0.0", product_id: "T028756", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:7.0.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 13.4.1.0.0", product: { name: "Oracle Utilities Applications 13.4.1.0.0", product_id: "T028757", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:13.4.1.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 13.5.1.0.0", product: { name: "Oracle Utilities Applications 13.5.1.0.0", product_id: "T028758", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:13.5.1.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.2.0.3.0", product: { name: "Oracle Utilities Applications 4.2.0.3.0", product_id: "T028759", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.2.0.3.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications <= 4.3.0.6.0", product: { name: "Oracle Utilities Applications <= 4.3.0.6.0", product_id: "T028760", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.3.0.6.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.4.0.0.0", product: { name: "Oracle Utilities Applications 4.4.0.0.0", product_id: "T028761", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.4.0.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.4.0.2.0", product: { name: "Oracle Utilities Applications 4.4.0.2.0", product_id: "T028762", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.4.0.2.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.4.0.3.0", product: { name: "Oracle Utilities Applications 4.4.0.3.0", product_id: "T028763", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.4.0.3.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.5.0.0.0", product: { name: "Oracle Utilities Applications 4.5.0.0.0", product_id: "T028764", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.5.0.0.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.5.0.1.0", product: { name: "Oracle Utilities Applications 4.5.0.1.0", product_id: "T028765", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.5.0.1.0", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 4.5.0.1.1", product: { name: "Oracle Utilities Applications 4.5.0.1.1", product_id: "T028766", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:4.5.0.1.1", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 2.5.0.1", product: { name: "Oracle Utilities Applications 2.5.0.1", product_id: "T028767", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:2.5.0.1", }, }, }, { category: "product_name", name: "Oracle Utilities Applications 2.6.0.0", product: { name: "Oracle Utilities Applications 2.6.0.0", product_id: "T028768", product_identification_helper: { cpe: "cpe:/a:oracle:utilities:2.6.0.0", }, }, }, ], category: "product_name", name: "Utilities Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-28708", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28708", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-20873", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20873", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20862", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20862", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-48285", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-48285", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-40150", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-40150", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Utilities Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028758", "T028759", "T028756", "T028767", "T028757", "T028768", "T028765", "T028766", "T028763", "T028753", "T028764", "T028761", "T028762", ], last_affected: [ "T028760", "T028754", "T028755", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-1471", }, ], }
wid-sec-w-2023-2675
Vulnerability from csaf_certbund
Published
2023-10-17 22:00
Modified
2023-10-17 22:00
Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2675 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2675.json", }, { category: "self", summary: "WID-SEC-2023-2675 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2675", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - October 2023 - Appendix Oracle Financial Services Applications vom 2023-10-17", url: "https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixIFLX", }, ], source_lang: "en-US", title: "Oracle Financial Services Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-10-17T22:00:00.000+00:00", generator: { date: "2024-08-15T17:59:59.509+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2675", initial_release_date: "2023-10-17T22:00:00.000+00:00", revision_history: [ { date: "2023-10-17T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Financial Services Applications 2.6.2", product: { name: "Oracle Financial Services Applications 2.6.2", product_id: "T018977", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.6.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.9.0", product: { name: "Oracle Financial Services Applications 2.9.0", product_id: "T018981", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.9.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.3", product: { name: "Oracle Financial Services Applications <= 14.3", product_id: "T019887", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 12.3", product: { name: "Oracle Financial Services Applications 12.3", product_id: "T019893", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:12.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 12.4", product: { name: "Oracle Financial Services Applications 12.4", product_id: "T019894", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:12.4", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 11.8", product: { name: "Oracle Financial Services Applications <= 11.8", product_id: "T020696", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:11.8", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 11.10", product: { name: "Oracle Financial Services Applications 11.10", product_id: "T020698", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:11.10", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 18.3", product: { name: "Oracle Financial Services Applications 18.3", product_id: "T021669", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:18.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.1", product: { name: "Oracle Financial Services Applications 19.1", product_id: "T021670", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.2", product: { name: "Oracle Financial Services Applications 19.2", product_id: "T021671", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 21.1", product: { name: "Oracle Financial Services Applications 21.1", product_id: "T021673", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:21.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.7", product: { name: "Oracle Financial Services Applications 2.7", product_id: "T023927", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.12", product: { name: "Oracle Financial Services Applications 2.12", product_id: "T023929", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.12", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.7", product: { name: "Oracle Financial Services Applications <= 14.7", product_id: "T027348", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.1", product: { name: "Oracle Financial Services Applications 22.1", product_id: "T027349", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.2", product: { name: "Oracle Financial Services Applications 22.2", product_id: "T027350", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.4", product: { name: "Oracle Financial Services Applications 8.1.2.4", product_id: "T027351", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.4", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.3", product: { name: "Oracle Financial Services Applications 8.1.2.3", product_id: "T027352", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 11.11", product: { name: "Oracle Financial Services Applications 11.11", product_id: "T027366", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:11.11", }, }, }, ], category: "product_name", name: "Financial Services Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-34981", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-34981", }, { cve: "CVE-2023-34462", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-34462", }, { cve: "CVE-2023-33201", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-33201", }, { cve: "CVE-2023-2976", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-2976", }, { cve: "CVE-2023-28439", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-28439", }, { cve: "CVE-2023-26049", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-26049", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-22946", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22946", }, { cve: "CVE-2023-22125", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22125", }, { cve: "CVE-2023-22124", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22124", }, { cve: "CVE-2023-22123", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22123", }, { cve: "CVE-2023-22122", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22122", }, { cve: "CVE-2023-22121", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22121", }, { cve: "CVE-2023-22119", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22119", }, { cve: "CVE-2023-22118", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22118", }, { cve: "CVE-2023-22117", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22117", }, { cve: "CVE-2023-20883", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-20883", }, { cve: "CVE-2023-20873", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-20873", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20862", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-20862", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-48285", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-48285", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-33980", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-33980", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-29577", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-29577", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2021-41165", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-41165", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-37533", }, ], }
WID-SEC-W-2023-1812
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-20 22:00
Summary
Oracle Communications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1812 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1812.json", }, { category: "self", summary: "WID-SEC-2023-1812 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1812", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2023:2263-2 vom 2023-07-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2023-July/015545.html", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Communications vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixCGBU", }, ], source_lang: "en-US", title: "Oracle Communications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-20T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:52.927+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1812", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-07-20T22:00:00.000+00:00", number: "2", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Communications 5.0", product: { name: "Oracle Communications 5.0", product_id: "T021645", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.0", }, }, }, { category: "product_name", name: "Oracle Communications 8.6.0.0", product: { name: "Oracle Communications 8.6.0.0", product_id: "T024970", product_identification_helper: { cpe: "cpe:/a:oracle:communications:8.6.0.0", }, }, }, { category: "product_name", name: "Oracle Communications 22.4.0", product: { name: "Oracle Communications 22.4.0", product_id: "T024981", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.0", }, }, }, { category: "product_name", name: "Oracle Communications 22.3.2", product: { name: "Oracle Communications 22.3.2", product_id: "T025865", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.3.2", }, }, }, { category: "product_name", name: "Oracle Communications 22.4.1", product: { name: "Oracle Communications 22.4.1", product_id: "T025869", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.1", }, }, }, { category: "product_name", name: "Oracle Communications 23.1.0", product: { name: "Oracle Communications 23.1.0", product_id: "T027326", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.1.0", }, }, }, { category: "product_name", name: "Oracle Communications 22.4.2", product: { name: "Oracle Communications 22.4.2", product_id: "T027327", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.2", }, }, }, { category: "product_name", name: "Oracle Communications 23.1.1", product: { name: "Oracle Communications 23.1.1", product_id: "T027329", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.1.1", }, }, }, { category: "product_name", name: "Oracle Communications 22.4.3", product: { name: "Oracle Communications 22.4.3", product_id: "T028680", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.3", }, }, }, { category: "product_name", name: "Oracle Communications 23.1.2", product: { name: "Oracle Communications 23.1.2", product_id: "T028681", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.1.2", }, }, }, { category: "product_name", name: "Oracle Communications 23.2.0", product: { name: "Oracle Communications 23.2.0", product_id: "T028682", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.2.0", }, }, }, { category: "product_name", name: "Oracle Communications 6.2.0", product: { name: "Oracle Communications 6.2.0", product_id: "T028683", product_identification_helper: { cpe: "cpe:/a:oracle:communications:6.2.0", }, }, }, { category: "product_name", name: "Oracle Communications 5.1", product: { name: "Oracle Communications 5.1", product_id: "T028684", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.1", }, }, }, { category: "product_name", name: "Oracle Communications 9.1.1.5.0", product: { name: "Oracle Communications 9.1.1.5.0", product_id: "T028685", product_identification_helper: { cpe: "cpe:/a:oracle:communications:9.1.1.5.0", }, }, }, ], category: "product_name", name: "Communications", }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, ], }, vulnerabilities: [ { cve: "CVE-2023-30861", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-30861", }, { cve: "CVE-2023-29007", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-29007", }, { cve: "CVE-2023-28856", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28856", }, { cve: "CVE-2023-28708", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28708", }, { cve: "CVE-2023-28484", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28484", }, { cve: "CVE-2023-27901", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-27901", }, { cve: "CVE-2023-26049", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-26049", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-23931", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-23931", }, { cve: "CVE-2023-22809", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-22809", }, { cve: "CVE-2023-21971", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-21971", }, { cve: "CVE-2023-20873", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20873", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20862", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20862", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-1999", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1999", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-0767", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-0767", }, { cve: "CVE-2023-0361", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-0361", }, { cve: "CVE-2023-0286", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-0286", }, { cve: "CVE-2023-0215", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-0215", }, { cve: "CVE-2022-45787", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45787", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45061", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45061", }, { cve: "CVE-2022-4450", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-4450", }, { cve: "CVE-2022-42898", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42898", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-37434", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-37434", }, { cve: "CVE-2022-36944", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-36944", }, { cve: "CVE-2022-2963", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-2963", }, { cve: "CVE-2022-25147", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-25147", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2021-40528", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-40528", }, { cve: "CVE-2021-25220", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-25220", }, { cve: "CVE-2020-10735", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-10735", }, ], }
WID-SEC-W-2023-2700
Vulnerability from csaf_certbund
Published
2023-10-17 22:00
Modified
2023-12-12 23:00
Summary
Atlassian Confluence: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Confluence ist eine kommerzielle Wiki-Software.
Jira ist eine Webanwendung zur Softwareentwicklung.
Bitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.
Bamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "kritisch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Confluence ist eine kommerzielle Wiki-Software.\r\nJira ist eine Webanwendung zur Softwareentwicklung.\r\nBitbucket ist ein Git-Server zur Sourcecode-Versionskontrolle.\r\nBamboo ist ein Werkzeug zur kontinuierlichen Integration und Bereitstellung, das automatisierte Builds, Tests und Freigaben in einem einzigen Arbeitsablauf verbindet.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2700 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2700.json", }, { category: "self", summary: "WID-SEC-2023-2700 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2700", }, { category: "external", summary: "Atlassian Security Update vom 2023-10-17", url: "https://confluence.atlassian.com/security/security-bulletin-october-17-2023-1299929380.html", }, { category: "external", summary: "Atlassian Security Bulletin December 12 2023 vom 2023-12-12", url: "https://confluence.atlassian.com/security/security-bulletin-december-12-2023-1319249520.html", }, ], source_lang: "en-US", title: "Atlassian Confluence: Mehrere Schwachstellen", tracking: { current_release_date: "2023-12-12T23:00:00.000+00:00", generator: { date: "2024-08-15T18:00:13.228+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2700", initial_release_date: "2023-10-17T22:00:00.000+00:00", revision_history: [ { date: "2023-10-17T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-12-12T23:00:00.000+00:00", number: "2", summary: "Neue Updates aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Atlassian Bamboo < 9.2.7", product: { name: "Atlassian Bamboo < 9.2.7", product_id: "1529586", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.7", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.2.5 Data Center and Server", product: { name: "Atlassian Bamboo < 9.2.5 Data Center and Server", product_id: "T030667", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.2.5_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.1 Data Center and Server", product: { name: "Atlassian Bamboo < 9.3.1 Data Center and Server", product_id: "T030668", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.1_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.3 Data Center and Server", product: { name: "Atlassian Bamboo < 9.3.3 Data Center and Server", product_id: "T030669", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.3_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bamboo < 9.3.5", product: { name: "Atlassian Bamboo < 9.3.5", product_id: "T031324", product_identification_helper: { cpe: "cpe:/a:atlassian:bamboo:9.3.5", }, }, }, ], category: "product_name", name: "Bamboo", }, { branches: [ { category: "product_name", name: "Atlassian Bitbucket < 8.13.1 Data Center and Server", product: { name: "Atlassian Bitbucket < 8.13.1 Data Center and Server", product_id: "T030666", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.13.1_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 7.21.18", product: { name: "Atlassian Bitbucket < 7.21.18", product_id: "T031325", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:7.21.18", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.9.7", product: { name: "Atlassian Bitbucket < 8.9.7", product_id: "T031614", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.9.7", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.11.6", product: { name: "Atlassian Bitbucket < 8.11.6", product_id: "T031615", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.11.6", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.12.4", product: { name: "Atlassian Bitbucket < 8.12.4", product_id: "T031616", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.12.4", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.13.3", product: { name: "Atlassian Bitbucket < 8.13.3", product_id: "T031617", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.13.3", }, }, }, { category: "product_name", name: "Atlassian Bitbucket < 8.14.2", product: { name: "Atlassian Bitbucket < 8.14.2", product_id: "T031618", product_identification_helper: { cpe: "cpe:/a:atlassian:bitbucket:8.14.2", }, }, }, ], category: "product_name", name: "Bitbucket", }, { branches: [ { category: "product_name", name: "Atlassian Confluence < 8.3.3 Server and Data Center", product: { name: "Atlassian Confluence < 8.3.3 Server and Data Center", product_id: "T030660", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.3.3_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.5.2 Server and Data Center", product: { name: "Atlassian Confluence < 8.5.2 Server and Data Center", product_id: "T030662", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.5.2_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.4.3 Server and Data Center", product: { name: "Atlassian Confluence < 8.4.3 Server and Data Center", product_id: "T030663", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.4.3_server_and_data_center", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.3.4", product: { name: "Atlassian Confluence < 8.3.4", product_id: "T030846", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.3.4", }, }, }, { category: "product_name", name: "Atlassian Confluence < 7.19.17", product: { name: "Atlassian Confluence < 7.19.17", product_id: "T031609", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:7.19.17", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.4.5", product: { name: "Atlassian Confluence < 8.4.5", product_id: "T031610", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.4.5", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.5.4", product: { name: "Atlassian Confluence < 8.5.4", product_id: "T031611", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.5.4", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.6.2", product: { name: "Atlassian Confluence < 8.6.2", product_id: "T031612", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.6.2", }, }, }, { category: "product_name", name: "Atlassian Confluence < 8.7.1", product: { name: "Atlassian Confluence < 8.7.1", product_id: "T031613", product_identification_helper: { cpe: "cpe:/a:atlassian:confluence:8.7.1", }, }, }, ], category: "product_name", name: "Confluence", }, { branches: [ { category: "product_name", name: "Atlassian Jira Software < 4.20.27 Service Management Data Center and Server", product: { name: "Atlassian Jira Software < 4.20.27 Service Management Data Center and Server", product_id: "T030664", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:4.20.27_service_management_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Jira Software < 5.4.11 Service Management Data Center and Server", product: { name: "Atlassian Jira Software < 5.4.11 Service Management Data Center and Server", product_id: "T030665", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:5.4.11_service_management_data_center_and_server", }, }, }, { category: "product_name", name: "Atlassian Jira Software < 9.4.13", product: { name: "Atlassian Jira Software < 9.4.13", product_id: "T031606", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:9.4.13", }, }, }, { category: "product_name", name: "Atlassian Jira Software Service Management < 4.20.28", product: { name: "Atlassian Jira Software Service Management < 4.20.28", product_id: "T031607", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:service_management__4.20.28", }, }, }, { category: "product_name", name: "Atlassian Jira Software Service Management < 5.4.12", product: { name: "Atlassian Jira Software Service Management < 5.4.12", product_id: "T031608", product_identification_helper: { cpe: "cpe:/a:atlassian:jira_software:service_management__5.4.12", }, }, }, ], category: "product_name", name: "Jira Software", }, ], category: "vendor", name: "Atlassian", }, ], }, vulnerabilities: [ { cve: "CVE-2023-28709", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-28709", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-22515", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22515", }, { cve: "CVE-2023-22514", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22514", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45685", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45685", }, { cve: "CVE-2022-42004", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42004", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41906", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-41906", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-3509", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3509", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-25647", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-25647", }, { cve: "CVE-2021-46877", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-46877", }, { cve: "CVE-2021-31684", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-31684", }, { cve: "CVE-2021-22569", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-22569", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-13936", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2020-13936", }, { cve: "CVE-2019-13990", notes: [ { category: "description", text: "In Atlassian Confluence, Atlassian Jira Software, Atlassian Bitbucket und Atlassian Bamboo existieren mehrere Schwachstellen. Diese Schwachstellen bestehen teilweise in Komponenten von Drittanbietern und sind nicht im Detail beschrieben. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um Administratorrechte zu erlangen, Informationen offenzulegen, beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. Für die Ausnutzung einiger dieser Schwachstellen ist eine Benutzerinteraktion erforderlich.", }, ], product_status: { known_affected: [ "T031324", "T031610", "T031612", "T031325", "T031611", "T031614", "T031613", "1529586", "T030846", "T031616", "T031615", "T031607", "T031618", "T031606", "T031617", "T031609", "T031608", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2019-13990", }, ], }
wid-sec-w-2023-1807
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-12-26 23:00
Summary
Oracle Fusion Middleware: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.
Angriff
Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Fusion Middleware bündelt mehrere Produkte zur Erstellung, Betrieb und Management von intelligenten Business Anwendungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Oracle Fusion Middleware ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1807 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1807.json", }, { category: "self", summary: "WID-SEC-2023-1807 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1807", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Fusion Middleware vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixFMW", }, { category: "external", summary: "Dell Security Advisory DSA-2023-409 vom 2023-12-23", url: "https://www.dell.com/support/kbdoc/000220669/dsa-2023-=", }, ], source_lang: "en-US", title: "Oracle Fusion Middleware: Mehrere Schwachstellen", tracking: { current_release_date: "2023-12-26T23:00:00.000+00:00", generator: { date: "2024-08-15T17:55:51.397+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1807", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-12-26T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Dell aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Fusion Middleware 12.2.1.3.0", product: { name: "Oracle Fusion Middleware 12.2.1.3.0", product_id: "618028", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:12.2.1.3.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 12.2.1.4.0", product: { name: "Oracle Fusion Middleware 12.2.1.4.0", product_id: "751674", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:12.2.1.4.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 14.1.1.0.0", product: { name: "Oracle Fusion Middleware 14.1.1.0.0", product_id: "829576", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:14.1.1.0.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware 9.1.0", product: { name: "Oracle Fusion Middleware 9.1.0", product_id: "T022847", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:9.1.0", }, }, }, { category: "product_name", name: "Oracle Fusion Middleware < 11.1.2.3.1", product: { name: "Oracle Fusion Middleware < 11.1.2.3.1", product_id: "T028708", product_identification_helper: { cpe: "cpe:/a:oracle:fusion_middleware:11.1.2.3.1", }, }, }, ], category: "product_name", name: "Fusion Middleware", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-26119", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-26119", }, { cve: "CVE-2023-26049", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-26049", }, { cve: "CVE-2023-25690", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-25690", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-23914", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-23914", }, { cve: "CVE-2023-22899", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-22899", }, { cve: "CVE-2023-22040", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-22040", }, { cve: "CVE-2023-22031", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-22031", }, { cve: "CVE-2023-21994", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-21994", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-20860", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20860", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45047", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45047", }, { cve: "CVE-2022-43680", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-43680", }, { cve: "CVE-2022-42920", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42920", }, { cve: "CVE-2022-42890", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42890", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41853", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41853", }, { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-33879", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-33879", }, { cve: "CVE-2022-31197", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-31197", }, { cve: "CVE-2022-29546", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-29546", }, { cve: "CVE-2022-25647", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-25647", }, { cve: "CVE-2022-24409", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-24409", }, { cve: "CVE-2022-23437", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-23437", }, { cve: "CVE-2021-46877", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-46877", }, { cve: "CVE-2021-43113", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-43113", }, { cve: "CVE-2021-42575", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-42575", }, { cve: "CVE-2021-41184", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-41184", }, { cve: "CVE-2021-4104", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-4104", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-37533", }, { cve: "CVE-2021-36374", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-36374", }, { cve: "CVE-2021-36090", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-36090", }, { cve: "CVE-2021-34429", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-34429", }, { cve: "CVE-2021-33813", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-33813", }, { cve: "CVE-2021-29425", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-29425", }, { cve: "CVE-2021-28168", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-28168", }, { cve: "CVE-2021-26117", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-26117", }, { cve: "CVE-2021-23926", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-23926", }, { cve: "CVE-2020-8908", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-8908", }, { cve: "CVE-2020-36518", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-36518", }, { cve: "CVE-2020-17521", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-17521", }, { cve: "CVE-2020-13956", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-13956", }, { cve: "CVE-2020-13936", notes: [ { category: "description", text: "In Oracle Fusion Middleware existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen sind bestimmte Privilegien und eine Benutzerinteraktion erforderlich. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T022847", "618028", "751674", "829576", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-13936", }, ], }
wid-sec-w-2023-1812
Vulnerability from csaf_certbund
Published
2023-07-18 22:00
Modified
2023-07-20 22:00
Summary
Oracle Communications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-1812 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1812.json", }, { category: "self", summary: "WID-SEC-2023-1812 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1812", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2023:2263-2 vom 2023-07-20", url: "https://lists.suse.com/pipermail/sle-security-updates/2023-July/015545.html", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2023 - Appendix Oracle Communications vom 2023-07-18", url: "https://www.oracle.com/security-alerts/cpujul2023.html#AppendixCGBU", }, ], source_lang: "en-US", title: "Oracle Communications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-07-20T22:00:00.000+00:00", generator: { date: "2024-08-15T17:55:52.927+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-1812", initial_release_date: "2023-07-18T22:00:00.000+00:00", revision_history: [ { date: "2023-07-18T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2023-07-20T22:00:00.000+00:00", number: "2", summary: "Neue Updates von SUSE aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Communications 5.0", product: { name: "Oracle Communications 5.0", product_id: "T021645", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.0", }, }, }, { category: "product_name", name: "Oracle Communications 8.6.0.0", product: { name: "Oracle Communications 8.6.0.0", product_id: "T024970", product_identification_helper: { cpe: "cpe:/a:oracle:communications:8.6.0.0", }, }, }, { category: "product_name", name: "Oracle Communications 22.4.0", product: { name: "Oracle Communications 22.4.0", product_id: "T024981", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.0", }, }, }, { category: "product_name", name: "Oracle Communications 22.3.2", product: { name: "Oracle Communications 22.3.2", product_id: "T025865", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.3.2", }, }, }, { category: "product_name", name: "Oracle Communications 22.4.1", product: { name: "Oracle Communications 22.4.1", product_id: "T025869", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.1", }, }, }, { category: "product_name", name: "Oracle Communications 23.1.0", product: { name: "Oracle Communications 23.1.0", product_id: "T027326", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.1.0", }, }, }, { category: "product_name", name: "Oracle Communications 22.4.2", product: { name: "Oracle Communications 22.4.2", product_id: "T027327", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.2", }, }, }, { category: "product_name", name: "Oracle Communications 23.1.1", product: { name: "Oracle Communications 23.1.1", product_id: "T027329", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.1.1", }, }, }, { category: "product_name", name: "Oracle Communications 22.4.3", product: { name: "Oracle Communications 22.4.3", product_id: "T028680", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.3", }, }, }, { category: "product_name", name: "Oracle Communications 23.1.2", product: { name: "Oracle Communications 23.1.2", product_id: "T028681", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.1.2", }, }, }, { category: "product_name", name: "Oracle Communications 23.2.0", product: { name: "Oracle Communications 23.2.0", product_id: "T028682", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.2.0", }, }, }, { category: "product_name", name: "Oracle Communications 6.2.0", product: { name: "Oracle Communications 6.2.0", product_id: "T028683", product_identification_helper: { cpe: "cpe:/a:oracle:communications:6.2.0", }, }, }, { category: "product_name", name: "Oracle Communications 5.1", product: { name: "Oracle Communications 5.1", product_id: "T028684", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.1", }, }, }, { category: "product_name", name: "Oracle Communications 9.1.1.5.0", product: { name: "Oracle Communications 9.1.1.5.0", product_id: "T028685", product_identification_helper: { cpe: "cpe:/a:oracle:communications:9.1.1.5.0", }, }, }, ], category: "product_name", name: "Communications", }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, ], category: "vendor", name: "SUSE", }, ], }, vulnerabilities: [ { cve: "CVE-2023-30861", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-30861", }, { cve: "CVE-2023-29007", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-29007", }, { cve: "CVE-2023-28856", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28856", }, { cve: "CVE-2023-28708", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28708", }, { cve: "CVE-2023-28484", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-28484", }, { cve: "CVE-2023-27901", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-27901", }, { cve: "CVE-2023-26049", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-26049", }, { cve: "CVE-2023-25194", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-25194", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-23931", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-23931", }, { cve: "CVE-2023-22809", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-22809", }, { cve: "CVE-2023-21971", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-21971", }, { cve: "CVE-2023-20873", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20873", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20862", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20862", }, { cve: "CVE-2023-20861", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-20861", }, { cve: "CVE-2023-1999", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1999", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2023-0767", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-0767", }, { cve: "CVE-2023-0361", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-0361", }, { cve: "CVE-2023-0286", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-0286", }, { cve: "CVE-2023-0215", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2023-0215", }, { cve: "CVE-2022-45787", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45787", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-45061", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-45061", }, { cve: "CVE-2022-4450", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-4450", }, { cve: "CVE-2022-42898", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-42898", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-37434", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-37434", }, { cve: "CVE-2022-36944", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-36944", }, { cve: "CVE-2022-2963", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-2963", }, { cve: "CVE-2022-25147", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-25147", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2021-40528", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-40528", }, { cve: "CVE-2021-25220", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2021-25220", }, { cve: "CVE-2020-10735", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T028683", "T028680", "T028681", "T025869", "T002207", "T025865", "T021645", "T027329", "T027326", "T024970", "T024981", "T027327", "T028684", "T028685", ], }, release_date: "2023-07-18T22:00:00.000+00:00", title: "CVE-2020-10735", }, ], }
WID-SEC-W-2024-0054
Vulnerability from csaf_certbund
Published
2024-01-09 23:00
Modified
2024-01-09 23:00
Summary
IBM Security Verify Access: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM Security Verify Access, ehemals IBM Security Access Manager (ISAM), ist eine Zugriffsverwaltungslösung.
Angriff
Ein Angreifer kann mehrere Schwachstellen in IBM Security Verify Access ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen.
Betroffene Betriebssysteme
- Sonstiges
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM Security Verify Access, ehemals IBM Security Access Manager (ISAM), ist eine Zugriffsverwaltungslösung.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein Angreifer kann mehrere Schwachstellen in IBM Security Verify Access ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen.", title: "Angriff", }, { category: "general", text: "- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0054 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0054.json", }, { category: "self", summary: "WID-SEC-2024-0054 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0054", }, { category: "external", summary: "IBM Security Bulletin 7106586 vom 2024-01-09", url: "https://www.ibm.com/support/pages/node/7106586", }, { category: "external", summary: "IBM Security Bulletin 7106583 vom 2024-01-09", url: "https://www.ibm.com/support/pages/node/7106583", }, ], source_lang: "en-US", title: "IBM Security Verify Access: Mehrere Schwachstellen", tracking: { current_release_date: "2024-01-09T23:00:00.000+00:00", generator: { date: "2024-08-15T18:03:29.433+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0054", initial_release_date: "2024-01-09T23:00:00.000+00:00", revision_history: [ { date: "2024-01-09T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "IBM Security Verify Access < 10.0.7-ISS-ISVA-FP0000", product: { name: "IBM Security Verify Access < 10.0.7-ISS-ISVA-FP0000", product_id: "T031968", product_identification_helper: { cpe: "cpe:/a:ibm:security_verify_access:10.0.7-iss-isva-fp0000", }, }, }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2032-43016", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2032-43016", }, { cve: "CVE-2023-43017", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-43017", }, { cve: "CVE-2023-40225", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-40225", }, { cve: "CVE-2023-39417", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-39417", }, { cve: "CVE-2023-38369", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-38369", }, { cve: "CVE-2023-38267", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-38267", }, { cve: "CVE-2023-32697", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32697", }, { cve: "CVE-2023-32330", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32330", }, { cve: "CVE-2023-32329", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32329", }, { cve: "CVE-2023-32328", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32328", }, { cve: "CVE-2023-32327", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-32327", }, { cve: "CVE-2023-31006", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31006", }, { cve: "CVE-2023-31005", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31005", }, { cve: "CVE-2023-31004", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31004", }, { cve: "CVE-2023-31003", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31003", }, { cve: "CVE-2023-31002", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31002", }, { cve: "CVE-2023-31001", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-31001", }, { cve: "CVE-2023-30999", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-30999", }, { cve: "CVE-2023-25725", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-25725", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-2455", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-2455", }, { cve: "CVE-2023-2454", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-2454", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-41862", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-41862", }, { cve: "CVE-2022-2625", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-2625", }, { cve: "CVE-2022-2068", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-2068", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2020-11100", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2020-11100", }, { cve: "CVE-2019-19330", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2019-19330", }, { cve: "CVE-2019-18277", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2019-18277", }, { cve: "CVE-2019-18276", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2019-18276", }, { cve: "CVE-2019-14241", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2019-14241", }, { cve: "CVE-2017-18342", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2017-18342", }, { cve: "CVE-2015-5237", notes: [ { category: "description", text: "Es bestehen mehrere Schwachstellen in IBM Security Verify Access. Diese Fehler bestehen in mehreren Komponenten wie Access Manager Container und Drittanbieter-Modulen wie PostgreSQL oder HAProxy. Ein Angreifer kann diese Schwachstellen ausnutzen, um beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, einen Denial-of-Service-Zustand herbeizuführen, vertrauliche Informationen offenzulegen, seine Privilegien zu erweitern oder komplexe Angriffe wie Cache-Poisoning, Cross-Site-Scripting oder Session-Hijacking durchzuführen. Einige der Schwachstellen erfordern eine Interaktion des Benutzers, um sie erfolgreich auszunutzen.", }, ], release_date: "2024-01-09T23:00:00.000+00:00", title: "CVE-2015-5237", }, ], }
WID-SEC-W-2023-2675
Vulnerability from csaf_certbund
Published
2023-10-17 22:00
Modified
2023-10-17 22:00
Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- UNIX
- Linux
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- UNIX\n- Linux\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2023-2675 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2675.json", }, { category: "self", summary: "WID-SEC-2023-2675 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2675", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - October 2023 - Appendix Oracle Financial Services Applications vom 2023-10-17", url: "https://www.oracle.com/security-alerts/cpuoct2023.html#AppendixIFLX", }, ], source_lang: "en-US", title: "Oracle Financial Services Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2023-10-17T22:00:00.000+00:00", generator: { date: "2024-08-15T17:59:59.509+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2023-2675", initial_release_date: "2023-10-17T22:00:00.000+00:00", revision_history: [ { date: "2023-10-17T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Oracle Financial Services Applications 2.6.2", product: { name: "Oracle Financial Services Applications 2.6.2", product_id: "T018977", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.6.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.9.0", product: { name: "Oracle Financial Services Applications 2.9.0", product_id: "T018981", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.9.0", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.3", product: { name: "Oracle Financial Services Applications <= 14.3", product_id: "T019887", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 12.3", product: { name: "Oracle Financial Services Applications 12.3", product_id: "T019893", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:12.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 12.4", product: { name: "Oracle Financial Services Applications 12.4", product_id: "T019894", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:12.4", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 11.8", product: { name: "Oracle Financial Services Applications <= 11.8", product_id: "T020696", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:11.8", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 11.10", product: { name: "Oracle Financial Services Applications 11.10", product_id: "T020698", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:11.10", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 18.3", product: { name: "Oracle Financial Services Applications 18.3", product_id: "T021669", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:18.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.1", product: { name: "Oracle Financial Services Applications 19.1", product_id: "T021670", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 19.2", product: { name: "Oracle Financial Services Applications 19.2", product_id: "T021671", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:19.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 21.1", product: { name: "Oracle Financial Services Applications 21.1", product_id: "T021673", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:21.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.7", product: { name: "Oracle Financial Services Applications 2.7", product_id: "T023927", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 2.12", product: { name: "Oracle Financial Services Applications 2.12", product_id: "T023929", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.12", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications <= 14.7", product: { name: "Oracle Financial Services Applications <= 14.7", product_id: "T027348", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.1", product: { name: "Oracle Financial Services Applications 22.1", product_id: "T027349", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.1", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 22.2", product: { name: "Oracle Financial Services Applications 22.2", product_id: "T027350", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:22.2", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.4", product: { name: "Oracle Financial Services Applications 8.1.2.4", product_id: "T027351", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.4", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 8.1.2.3", product: { name: "Oracle Financial Services Applications 8.1.2.3", product_id: "T027352", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.3", }, }, }, { category: "product_name", name: "Oracle Financial Services Applications 11.11", product: { name: "Oracle Financial Services Applications 11.11", product_id: "T027366", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:11.11", }, }, }, ], category: "product_name", name: "Financial Services Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-34981", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-34981", }, { cve: "CVE-2023-34462", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-34462", }, { cve: "CVE-2023-33201", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-33201", }, { cve: "CVE-2023-2976", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-2976", }, { cve: "CVE-2023-28439", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-28439", }, { cve: "CVE-2023-26049", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-26049", }, { cve: "CVE-2023-24998", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-24998", }, { cve: "CVE-2023-22946", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22946", }, { cve: "CVE-2023-22125", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22125", }, { cve: "CVE-2023-22124", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22124", }, { cve: "CVE-2023-22123", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22123", }, { cve: "CVE-2023-22122", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22122", }, { cve: "CVE-2023-22121", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22121", }, { cve: "CVE-2023-22119", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22119", }, { cve: "CVE-2023-22118", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22118", }, { cve: "CVE-2023-22117", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-22117", }, { cve: "CVE-2023-20883", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-20883", }, { cve: "CVE-2023-20873", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-20873", }, { cve: "CVE-2023-20863", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-20863", }, { cve: "CVE-2023-20862", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-20862", }, { cve: "CVE-2023-1436", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1436", }, { cve: "CVE-2023-1370", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2023-1370", }, { cve: "CVE-2022-48285", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-48285", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2022-42003", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-42003", }, { cve: "CVE-2022-41966", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-41966", }, { cve: "CVE-2022-41881", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-41881", }, { cve: "CVE-2022-36033", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-36033", }, { cve: "CVE-2022-33980", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-33980", }, { cve: "CVE-2022-3171", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-3171", }, { cve: "CVE-2022-29577", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-29577", }, { cve: "CVE-2022-1471", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2022-1471", }, { cve: "CVE-2021-41165", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-41165", }, { cve: "CVE-2021-37533", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T027351", "T027352", "T027350", "T023927", "T019894", "T018981", "T019893", "T023929", "T020698", "T021669", "T018977", "T027349", "T021673", "T027366", "T021671", "T021670", ], last_affected: [ "T019887", "T020696", "T027348", ], }, release_date: "2023-10-17T22:00:00.000+00:00", title: "CVE-2021-37533", }, ], }
NCSC-2024-0296
Vulnerability from csaf_ncscnl
Published
2024-07-17 13:53
Modified
2024-07-17 13:53
Summary
Kwetsbaarheden verholpen in Oracle Enterprise Manager
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Er zijn kwetsbaarheden verholpen in Oracle Enterprise Manager.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:
* Denial-of-Service (DoS)
* Toegang tot gevoelige gegevens
* Toegang tot systeemgegevens
* Manipulatie van gegevens
Oplossingen
Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.
Kans
medium
Schade
high
CWE-130
Improper Handling of Length Parameter Inconsistency
CWE-20
Improper Input Validation
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-222
Truncation of Security-relevant Information
CWE-404
Improper Resource Shutdown or Release
CWE-674
Uncontrolled Recursion
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Er zijn kwetsbaarheden verholpen in Oracle Enterprise Manager.", title: "Feiten", }, { category: "description", text: "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:\n\n* Denial-of-Service (DoS)\n* Toegang tot gevoelige gegevens\n* Toegang tot systeemgegevens\n* Manipulatie van gegevens", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Improper Handling of Length Parameter Inconsistency", title: "CWE-130", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "general", text: "Truncation of Security-relevant Information", title: "CWE-222", }, { category: "general", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, { category: "general", text: "Uncontrolled Recursion", title: "CWE-674", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", }, { category: "external", summary: "Reference - oracle", url: "https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json", }, { category: "external", summary: "Reference - cveprojectv5; ibm; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], title: "Kwetsbaarheden verholpen in Oracle Enterprise Manager", tracking: { current_release_date: "2024-07-17T13:53:28.440252Z", id: "NCSC-2024-0296", initial_release_date: "2024-07-17T13:53:28.440252Z", revision_history: [ { date: "2024-07-17T13:53:28.440252Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "application_testing_suite", product: { name: "application_testing_suite", product_id: "CSAFPID-5546", product_identification_helper: { cpe: "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-816810", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:_agent_next_gen___13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-816811", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:_extensibility_framework___13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-135360", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-179794", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_exadata", product: { name: "enterprise_manager_for_exadata", product_id: "CSAFPID-577246", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_exadata:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_fusion_middleware", product: { name: "enterprise_manager_for_fusion_middleware", product_id: "CSAFPID-220465", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_peoplesoft", product: { name: "enterprise_manager_for_peoplesoft", product_id: "CSAFPID-204465", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.5.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_virtualization", product: { name: "enterprise_manager_for_virtualization", product_id: "CSAFPID-611588", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_ops_center", product: { name: "enterprise_manager_ops_center", product_id: "CSAFPID-9557", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2021-37533", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, notes: [ { category: "other", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-5546", "CSAFPID-179794", "CSAFPID-9557", "CSAFPID-204465", "CSAFPID-577246", "CSAFPID-220465", "CSAFPID-135360", "CSAFPID-816810", "CSAFPID-816811", "CSAFPID-611588", ], }, references: [ { category: "self", summary: "CVE-2021-37533", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-37533.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-5546", "CSAFPID-179794", "CSAFPID-9557", "CSAFPID-204465", "CSAFPID-577246", "CSAFPID-220465", "CSAFPID-135360", "CSAFPID-816810", "CSAFPID-816811", "CSAFPID-611588", ], }, ], title: "CVE-2021-37533", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, notes: [ { category: "other", text: "Uncontrolled Recursion", title: "CWE-674", }, { category: "other", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, ], product_status: { known_affected: [ "CSAFPID-577246", "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-179794", "CSAFPID-204465", "CSAFPID-816810", "CSAFPID-816811", ], }, references: [ { category: "self", summary: "CVE-2023-1370", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-1370.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-577246", "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-179794", "CSAFPID-204465", "CSAFPID-816810", "CSAFPID-816811", ], }, ], title: "CVE-2023-1370", }, { cve: "CVE-2023-40167", cwe: { id: "CWE-130", name: "Improper Handling of Length Parameter Inconsistency", }, notes: [ { category: "other", text: "Improper Handling of Length Parameter Inconsistency", title: "CWE-130", }, ], product_status: { known_affected: [ "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-179794", "CSAFPID-204465", "CSAFPID-816810", "CSAFPID-816811", ], }, references: [ { category: "self", summary: "CVE-2023-40167", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-40167.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-179794", "CSAFPID-204465", "CSAFPID-816810", "CSAFPID-816811", ], }, ], title: "CVE-2023-40167", }, { cve: "CVE-2023-48795", cwe: { id: "CWE-222", name: "Truncation of Security-relevant Information", }, notes: [ { category: "other", text: "Truncation of Security-relevant Information", title: "CWE-222", }, ], product_status: { known_affected: [ "CSAFPID-179794", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-816810", "CSAFPID-816811", ], }, references: [ { category: "self", summary: "CVE-2023-48795", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-48795.json", }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-179794", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-816810", "CSAFPID-816811", ], }, ], title: "CVE-2023-48795", }, ], }
ncsc-2024-0296
Vulnerability from csaf_ncscnl
Published
2024-07-17 13:53
Modified
2024-07-17 13:53
Summary
Kwetsbaarheden verholpen in Oracle Enterprise Manager
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Er zijn kwetsbaarheden verholpen in Oracle Enterprise Manager.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:
* Denial-of-Service (DoS)
* Toegang tot gevoelige gegevens
* Toegang tot systeemgegevens
* Manipulatie van gegevens
Oplossingen
Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.
Kans
medium
Schade
high
CWE-130
Improper Handling of Length Parameter Inconsistency
CWE-20
Improper Input Validation
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-222
Truncation of Security-relevant Information
CWE-404
Improper Resource Shutdown or Release
CWE-674
Uncontrolled Recursion
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Er zijn kwetsbaarheden verholpen in Oracle Enterprise Manager.", title: "Feiten", }, { category: "description", text: "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:\n\n* Denial-of-Service (DoS)\n* Toegang tot gevoelige gegevens\n* Toegang tot systeemgegevens\n* Manipulatie van gegevens", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Improper Handling of Length Parameter Inconsistency", title: "CWE-130", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "general", text: "Truncation of Security-relevant Information", title: "CWE-222", }, { category: "general", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, { category: "general", text: "Uncontrolled Recursion", title: "CWE-674", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-40167", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", }, { category: "external", summary: "Reference - oracle", url: "https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json", }, { category: "external", summary: "Reference - cveprojectv5; ibm; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], title: "Kwetsbaarheden verholpen in Oracle Enterprise Manager", tracking: { current_release_date: "2024-07-17T13:53:28.440252Z", id: "NCSC-2024-0296", initial_release_date: "2024-07-17T13:53:28.440252Z", revision_history: [ { date: "2024-07-17T13:53:28.440252Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "application_testing_suite", product: { name: "application_testing_suite", product_id: "CSAFPID-5546", product_identification_helper: { cpe: "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-816810", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:_agent_next_gen___13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-816811", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:_extensibility_framework___13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-135360", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-179794", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_exadata", product: { name: "enterprise_manager_for_exadata", product_id: "CSAFPID-577246", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_exadata:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_fusion_middleware", product: { name: "enterprise_manager_for_fusion_middleware", product_id: "CSAFPID-220465", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_peoplesoft", product: { name: "enterprise_manager_for_peoplesoft", product_id: "CSAFPID-204465", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.5.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_virtualization", product: { name: "enterprise_manager_for_virtualization", product_id: "CSAFPID-611588", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_ops_center", product: { name: "enterprise_manager_ops_center", product_id: "CSAFPID-9557", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2021-37533", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, notes: [ { category: "other", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-5546", "CSAFPID-179794", "CSAFPID-9557", "CSAFPID-204465", "CSAFPID-577246", "CSAFPID-220465", "CSAFPID-135360", "CSAFPID-816810", "CSAFPID-816811", "CSAFPID-611588", ], }, references: [ { category: "self", summary: "CVE-2021-37533", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-37533.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-5546", "CSAFPID-179794", "CSAFPID-9557", "CSAFPID-204465", "CSAFPID-577246", "CSAFPID-220465", "CSAFPID-135360", "CSAFPID-816810", "CSAFPID-816811", "CSAFPID-611588", ], }, ], title: "CVE-2021-37533", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, notes: [ { category: "other", text: "Uncontrolled Recursion", title: "CWE-674", }, { category: "other", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, ], product_status: { known_affected: [ "CSAFPID-577246", "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-179794", "CSAFPID-204465", "CSAFPID-816810", "CSAFPID-816811", ], }, references: [ { category: "self", summary: "CVE-2023-1370", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-1370.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-577246", "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-179794", "CSAFPID-204465", "CSAFPID-816810", "CSAFPID-816811", ], }, ], title: "CVE-2023-1370", }, { cve: "CVE-2023-40167", cwe: { id: "CWE-130", name: "Improper Handling of Length Parameter Inconsistency", }, notes: [ { category: "other", text: "Improper Handling of Length Parameter Inconsistency", title: "CWE-130", }, ], product_status: { known_affected: [ "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-179794", "CSAFPID-204465", "CSAFPID-816810", "CSAFPID-816811", ], }, references: [ { category: "self", summary: "CVE-2023-40167", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-40167.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-179794", "CSAFPID-204465", "CSAFPID-816810", "CSAFPID-816811", ], }, ], title: "CVE-2023-40167", }, { cve: "CVE-2023-48795", cwe: { id: "CWE-222", name: "Truncation of Security-relevant Information", }, notes: [ { category: "other", text: "Truncation of Security-relevant Information", title: "CWE-222", }, ], product_status: { known_affected: [ "CSAFPID-179794", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-816810", "CSAFPID-816811", ], }, references: [ { category: "self", summary: "CVE-2023-48795", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-48795.json", }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-179794", "CSAFPID-5546", "CSAFPID-9557", "CSAFPID-220465", "CSAFPID-611588", "CSAFPID-816810", "CSAFPID-816811", ], }, ], title: "CVE-2023-48795", }, ], }
ncsc-2024-0299
Vulnerability from csaf_ncscnl
Published
2024-07-17 13:54
Modified
2024-07-17 13:54
Summary
Kwetsbaarheden verholpen in Oracle Analytics
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Er zijn kwetsbaarheden verholpen in Oracle Analytics.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:
* Denial-of-Service (DoS)
* Toegang tot gevoelige gegevens
* Toegang tot systeemgegevens
* Manipulatie van gegevens
* (Remote) code execution (Gebruikersrechten)
Oplossingen
Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.
Kans
medium
Schade
high
CWE-20
Improper Input Validation
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-222
Truncation of Security-relevant Information
CWE-285
Improper Authorization
CWE-400
Uncontrolled Resource Consumption
CWE-404
Improper Resource Shutdown or Release
CWE-426
Untrusted Search Path
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-476
NULL Pointer Dereference
CWE-674
Uncontrolled Recursion
CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-787
Out-of-bounds Write
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Er zijn kwetsbaarheden verholpen in Oracle Analytics.", title: "Feiten", }, { category: "description", text: "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:\n\n* Denial-of-Service (DoS)\n* Toegang tot gevoelige gegevens\n* Toegang tot systeemgegevens\n* Manipulatie van gegevens\n* (Remote) code execution (Gebruikersrechten)", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "general", text: "Truncation of Security-relevant Information", title: "CWE-222", }, { category: "general", text: "Improper Authorization", title: "CWE-285", }, { category: "general", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "general", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, { category: "general", text: "Untrusted Search Path", title: "CWE-426", }, { category: "general", text: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", title: "CWE-444", }, { category: "general", text: "NULL Pointer Dereference", title: "CWE-476", }, { category: "general", text: "Uncontrolled Recursion", title: "CWE-674", }, { category: "general", text: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", title: "CWE-776", }, { category: "general", text: "Out-of-bounds Write", title: "CWE-787", }, { category: "general", text: "Loop with Unreachable Exit Condition ('Infinite Loop')", title: "CWE-835", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-23926", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-21797", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-26031", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-46589", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-49083", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-52428", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21139", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", }, { category: "external", summary: "Reference - oracle", url: "https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json", }, { category: "external", summary: "Reference - cveprojectv5; ibm; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], title: " Kwetsbaarheden verholpen in Oracle Analytics", tracking: { current_release_date: "2024-07-17T13:54:03.545073Z", id: "NCSC-2024-0299", initial_release_date: "2024-07-17T13:54:03.545073Z", revision_history: [ { date: "2024-07-17T13:54:03.545073Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "analytics_desktop", product: { name: "analytics_desktop", product_id: "CSAFPID-816763", product_identification_helper: { cpe: "cpe:2.3:a:oracle:analytics_desktop:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "analytics_desktop", product: { name: "analytics_desktop", product_id: "CSAFPID-816761", product_identification_helper: { cpe: "cpe:2.3:a:oracle:analytics_desktop:6.4.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "analytics_desktop", product: { name: "analytics_desktop", product_id: "CSAFPID-816762", product_identification_helper: { cpe: "cpe:2.3:a:oracle:analytics_desktop:7.0.0.0.0:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2021-23926", cwe: { id: "CWE-776", name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", }, notes: [ { category: "other", text: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", title: "CWE-776", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2021-23926", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-23926.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2021-23926", }, { cve: "CVE-2021-37533", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, notes: [ { category: "other", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2021-37533", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-37533.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2021-37533", }, { cve: "CVE-2022-0239", product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2022-0239", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-0239.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2022-0239", }, { cve: "CVE-2022-21797", product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2022-21797", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-21797.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2022-21797", }, { cve: "CVE-2022-40152", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, notes: [ { category: "other", text: "Out-of-bounds Write", title: "CWE-787", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2022-40152", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-40152.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2022-40152", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, notes: [ { category: "other", text: "Uncontrolled Recursion", title: "CWE-674", }, { category: "other", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-1370", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-1370.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2023-1370", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, notes: [ { category: "other", text: "Uncontrolled Recursion", title: "CWE-674", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-1436", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-1436.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2023-1436", }, { cve: "CVE-2023-26031", cwe: { id: "CWE-426", name: "Untrusted Search Path", }, notes: [ { category: "other", text: "Untrusted Search Path", title: "CWE-426", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-26031", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-26031.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2023-26031", }, { cve: "CVE-2023-33202", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-33202", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-33202.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2023-33202", }, { cve: "CVE-2023-46589", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, notes: [ { category: "other", text: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", title: "CWE-444", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-46589", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-46589.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2023-46589", }, { cve: "CVE-2023-48795", cwe: { id: "CWE-222", name: "Truncation of Security-relevant Information", }, notes: [ { category: "other", text: "Truncation of Security-relevant Information", title: "CWE-222", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-48795", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-48795.json", }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2023-48795", }, { cve: "CVE-2023-49083", cwe: { id: "CWE-476", name: "NULL Pointer Dereference", }, notes: [ { category: "other", text: "NULL Pointer Dereference", title: "CWE-476", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-49083", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-49083.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2023-49083", }, { cve: "CVE-2023-52428", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-52428", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-52428.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2023-52428", }, { cve: "CVE-2024-0727", cwe: { id: "CWE-476", name: "NULL Pointer Dereference", }, notes: [ { category: "other", text: "NULL Pointer Dereference", title: "CWE-476", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2024-0727", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-0727.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2024-0727", }, { cve: "CVE-2024-21139", cwe: { id: "CWE-285", name: "Improper Authorization", }, notes: [ { category: "other", text: "Improper Authorization", title: "CWE-285", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2024-21139", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21139.json", }, ], title: "CVE-2024-21139", }, { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, notes: [ { category: "other", text: "Loop with Unreachable Exit Condition ('Infinite Loop')", title: "CWE-835", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2024-25710", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-25710.json", }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2024-25710", }, ], }
NCSC-2024-0299
Vulnerability from csaf_ncscnl
Published
2024-07-17 13:54
Modified
2024-07-17 13:54
Summary
Kwetsbaarheden verholpen in Oracle Analytics
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Er zijn kwetsbaarheden verholpen in Oracle Analytics.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:
* Denial-of-Service (DoS)
* Toegang tot gevoelige gegevens
* Toegang tot systeemgegevens
* Manipulatie van gegevens
* (Remote) code execution (Gebruikersrechten)
Oplossingen
Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.
Kans
medium
Schade
high
CWE-20
Improper Input Validation
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-222
Truncation of Security-relevant Information
CWE-285
Improper Authorization
CWE-400
Uncontrolled Resource Consumption
CWE-404
Improper Resource Shutdown or Release
CWE-426
Untrusted Search Path
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-476
NULL Pointer Dereference
CWE-674
Uncontrolled Recursion
CWE-776
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-787
Out-of-bounds Write
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Er zijn kwetsbaarheden verholpen in Oracle Analytics.", title: "Feiten", }, { category: "description", text: "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:\n\n* Denial-of-Service (DoS)\n* Toegang tot gevoelige gegevens\n* Toegang tot systeemgegevens\n* Manipulatie van gegevens\n* (Remote) code execution (Gebruikersrechten)", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "general", text: "Truncation of Security-relevant Information", title: "CWE-222", }, { category: "general", text: "Improper Authorization", title: "CWE-285", }, { category: "general", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "general", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, { category: "general", text: "Untrusted Search Path", title: "CWE-426", }, { category: "general", text: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", title: "CWE-444", }, { category: "general", text: "NULL Pointer Dereference", title: "CWE-476", }, { category: "general", text: "Uncontrolled Recursion", title: "CWE-674", }, { category: "general", text: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", title: "CWE-776", }, { category: "general", text: "Out-of-bounds Write", title: "CWE-787", }, { category: "general", text: "Loop with Unreachable Exit Condition ('Infinite Loop')", title: "CWE-835", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-23926", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-21797", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1436", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-26031", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-46589", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-49083", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-52428", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-0727", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21139", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", }, { category: "external", summary: "Reference - oracle", url: "https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json", }, { category: "external", summary: "Reference - cveprojectv5; ibm; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], title: " Kwetsbaarheden verholpen in Oracle Analytics", tracking: { current_release_date: "2024-07-17T13:54:03.545073Z", id: "NCSC-2024-0299", initial_release_date: "2024-07-17T13:54:03.545073Z", revision_history: [ { date: "2024-07-17T13:54:03.545073Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "analytics_desktop", product: { name: "analytics_desktop", product_id: "CSAFPID-816763", product_identification_helper: { cpe: "cpe:2.3:a:oracle:analytics_desktop:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "analytics_desktop", product: { name: "analytics_desktop", product_id: "CSAFPID-816761", product_identification_helper: { cpe: "cpe:2.3:a:oracle:analytics_desktop:6.4.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "analytics_desktop", product: { name: "analytics_desktop", product_id: "CSAFPID-816762", product_identification_helper: { cpe: "cpe:2.3:a:oracle:analytics_desktop:7.0.0.0.0:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2021-23926", cwe: { id: "CWE-776", name: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", }, notes: [ { category: "other", text: "Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", title: "CWE-776", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2021-23926", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-23926.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2021-23926", }, { cve: "CVE-2021-37533", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, notes: [ { category: "other", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2021-37533", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-37533.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2021-37533", }, { cve: "CVE-2022-0239", product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2022-0239", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-0239.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2022-0239", }, { cve: "CVE-2022-21797", product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2022-21797", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-21797.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2022-21797", }, { cve: "CVE-2022-40152", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, notes: [ { category: "other", text: "Out-of-bounds Write", title: "CWE-787", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2022-40152", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-40152.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2022-40152", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, notes: [ { category: "other", text: "Uncontrolled Recursion", title: "CWE-674", }, { category: "other", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-1370", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-1370.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2023-1370", }, { cve: "CVE-2023-1436", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, notes: [ { category: "other", text: "Uncontrolled Recursion", title: "CWE-674", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-1436", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-1436.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2023-1436", }, { cve: "CVE-2023-26031", cwe: { id: "CWE-426", name: "Untrusted Search Path", }, notes: [ { category: "other", text: "Untrusted Search Path", title: "CWE-426", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-26031", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-26031.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2023-26031", }, { cve: "CVE-2023-33202", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-33202", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-33202.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2023-33202", }, { cve: "CVE-2023-46589", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, notes: [ { category: "other", text: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", title: "CWE-444", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-46589", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-46589.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2023-46589", }, { cve: "CVE-2023-48795", cwe: { id: "CWE-222", name: "Truncation of Security-relevant Information", }, notes: [ { category: "other", text: "Truncation of Security-relevant Information", title: "CWE-222", }, ], product_status: { known_affected: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-48795", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-48795.json", }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-816761", "CSAFPID-816762", "CSAFPID-816763", ], }, ], title: "CVE-2023-48795", }, { cve: "CVE-2023-49083", cwe: { id: "CWE-476", name: "NULL Pointer Dereference", }, notes: [ { category: "other", text: "NULL Pointer Dereference", title: "CWE-476", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-49083", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-49083.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2023-49083", }, { cve: "CVE-2023-52428", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2023-52428", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-52428.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2023-52428", }, { cve: "CVE-2024-0727", cwe: { id: "CWE-476", name: "NULL Pointer Dereference", }, notes: [ { category: "other", text: "NULL Pointer Dereference", title: "CWE-476", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2024-0727", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-0727.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2024-0727", }, { cve: "CVE-2024-21139", cwe: { id: "CWE-285", name: "Improper Authorization", }, notes: [ { category: "other", text: "Improper Authorization", title: "CWE-285", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2024-21139", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21139.json", }, ], title: "CVE-2024-21139", }, { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, notes: [ { category: "other", text: "Loop with Unreachable Exit Condition ('Infinite Loop')", title: "CWE-835", }, ], product_status: { known_affected: [ "CSAFPID-816763", ], }, references: [ { category: "self", summary: "CVE-2024-25710", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-25710.json", }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-816763", ], }, ], title: "CVE-2024-25710", }, ], }
ghsa-493p-pfq6-5258
Vulnerability from github
Published
2023-03-23 20:32
Modified
2025-02-13 18:41
Severity ?
Summary
json-smart Uncontrolled Recursion vulnerability
Details
Impact
Affected versions of net.minidev:json-smart are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.
Patches
This vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.
Workarounds
N/A
References
- https://www.cve.org/CVERecord?id=CVE-2023-1370
- https://nvd.nist.gov/vuln/detail/CVE-2023-1370
- https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748
{ affected: [ { package: { ecosystem: "Maven", name: "net.minidev:json-smart", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "2.4.9", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2023-1370", ], database_specific: { cwe_ids: [ "CWE-674", ], github_reviewed: true, github_reviewed_at: "2023-03-23T20:32:03Z", nvd_published_at: "2023-03-22T06:15:00Z", severity: "HIGH", }, details: "### Impact\nAffected versions of [net.minidev:json-smart](https://github.com/netplex/json-smart-v1) are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.\n\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the 3PP does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.\n\n### Patches\nThis vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.\n\n### Workarounds\nN/A\n\n### References\n- https://www.cve.org/CVERecord?id=CVE-2023-1370\n- https://nvd.nist.gov/vuln/detail/CVE-2023-1370\n- https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748", id: "GHSA-493p-pfq6-5258", modified: "2025-02-13T18:41:52Z", published: "2023-03-23T20:32:03Z", references: [ { type: "WEB", url: "https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { type: "WEB", url: "https://github.com/netplex/json-smart-v2/issues/137", }, { type: "WEB", url: "https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a", }, { type: "WEB", url: "https://github.com/netplex/json-smart-v2/commit/e2791ae506a57491bc856b439d706c81e45adcf8", }, { type: "PACKAGE", url: "https://github.com/oswaldobapvicjr/jsonmerge", }, { type: "WEB", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633", }, { type: "WEB", url: "https://security.netapp.com/advisory/ntap-20240621-0006", }, { type: "WEB", url: "https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748", }, { type: "WEB", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, ], summary: "json-smart Uncontrolled Recursion vulnerability", }
gsd-2023-1370
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Aliases
Aliases
{ GSD: { alias: "CVE-2023-1370", id: "GSD-2023-1370", }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2023-1370", ], details: "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.", id: "GSD-2023-1370", modified: "2023-12-13T01:20:41.175681Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "security@jfrog.com", ID: "CVE-2023-1370", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "json-smart", version: { version_data: [ { version_affected: "<", version_name: "0", version_value: "2.4.9", }, ], }, }, ], }, vendor_name: "json-smart", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.", }, ], }, impact: { cvss: [ { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, ], }, problemtype: { problemtype_data: [ { description: [ { cweId: "CWE-674", lang: "eng", value: "CWE-674 Uncontrolled Recursion", }, ], }, ], }, references: { reference_data: [ { name: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", refsource: "MISC", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], }, source: { discovery: "EXTERNAL", }, }, "gitlab.com": { advisories: [ { affected_range: "(,2.4.9)", affected_versions: "All versions before 2.4.9", cwe_ids: [ "CWE-1035", "CWE-937", ], date: "2023-03-23", description: "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.", fixed_versions: [ "2.4.9", ], identifier: "CVE-2023-1370", identifiers: [ "GHSA-493p-pfq6-5258", "CVE-2023-1370", ], not_impacted: "All versions starting from 2.4.9", package_slug: "maven/net.minidev/json-smart", pubdate: "2023-03-23", solution: "Upgrade to version 2.4.9 or above.", title: "json-smart Uncontrolled Recursion vulnerabilty", urls: [ "https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258", "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", "https://github.com/netplex/json-smart-v2/issues/137", "https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a", "https://github.com/netplex/json-smart-v2/commit/e2791ae506a57491bc856b439d706c81e45adcf8", "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", "https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748", "https://www.cve.org/CVERecord?id=CVE-2023-1370", "https://github.com/advisories/GHSA-493p-pfq6-5258", ], uuid: "4d9c2a5e-d097-47ce-9f29-18e245e538ea", }, ], }, "nvd.nist.gov": { cve: { configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:json-smart_project:json-smart:*:*:*:*:*:*:*:*", matchCriteriaId: "DCB9A6B6-D76A-44FE-9326-07E17A486932", versionEndExcluding: "2.4.9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\n\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.\n\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.\n\n", }, ], id: "CVE-2023-1370", lastModified: "2024-04-01T15:45:17.643", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "reefs@jfrog.com", type: "Secondary", }, ], }, published: "2023-03-22T06:15:09.493", references: [ { source: "reefs@jfrog.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], sourceIdentifier: "reefs@jfrog.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-674", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-674", }, ], source: "reefs@jfrog.com", type: "Secondary", }, ], }, }, }, }
fkie_cve-2023-1370
Vulnerability from fkie_nvd
Published
2023-03-22 06:15
Modified
2025-02-13 17:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| json-smart_project | json-smart | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:json-smart_project:json-smart:*:*:*:*:*:*:*:*", matchCriteriaId: "DCB9A6B6-D76A-44FE-9326-07E17A486932", versionEndExcluding: "2.4.9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.\n\nWhen reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.\n\nIt was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.", }, ], id: "CVE-2023-1370", lastModified: "2025-02-13T17:15:58.220", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "reefs@jfrog.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-22T06:15:09.493", references: [ { source: "reefs@jfrog.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, { source: "reefs@jfrog.com", url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20240621-0006/", }, ], sourceIdentifier: "reefs@jfrog.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-674", }, ], source: "reefs@jfrog.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-674", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.