Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2023-51074
Vulnerability from cvelistv5
Published
2023-12-27 00:00
Modified
2024-08-02 22:32
Severity ?
EPSS score ?
Summary
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/json-path/JsonPath/issues/973 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/json-path/JsonPath/issues/973 | Exploit, Issue Tracking, Third Party Advisory |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T22:32:08.933Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/json-path/JsonPath/issues/973", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-27T20:56:22.383078", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { url: "https://github.com/json-path/JsonPath/issues/973", }, ], }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2023-51074", datePublished: "2023-12-27T00:00:00", dateReserved: "2023-12-18T00:00:00", dateUpdated: "2024-08-02T22:32:08.933Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:json-path:jayway_jsonpath:2.8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8D81ECFA-DBD4-4079-9481-327D08E8E5A0\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.\"}, {\"lang\": \"es\", \"value\": \"Se descubri\\u00f3 que json-path v2.8.0 conten\\u00eda un desbordamiento de pila mediante el m\\u00e9todo Criteria.parse().\"}]", id: "CVE-2023-51074", lastModified: "2024-11-21T08:37:48.267", metrics: "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}", published: "2023-12-27T21:15:08.253", references: "[{\"url\": \"https://github.com/json-path/JsonPath/issues/973\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/json-path/JsonPath/issues/973\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}]", sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2023-51074\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2023-12-27T21:15:08.253\",\"lastModified\":\"2024-11-21T08:37:48.267\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.\"},{\"lang\":\"es\",\"value\":\"Se descubrió que json-path v2.8.0 contenía un desbordamiento de pila mediante el método Criteria.parse().\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:json-path:jayway_jsonpath:2.8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8D81ECFA-DBD4-4079-9481-327D08E8E5A0\"}]}]}],\"references\":[{\"url\":\"https://github.com/json-path/JsonPath/issues/973\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/json-path/JsonPath/issues/973\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]}]}}", }, }
gsd-2023-51074
Vulnerability from gsd
Modified
2023-12-18 06:01
Details
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.
Aliases
{ gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2023-51074", ], details: "json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.", id: "GSD-2023-51074", modified: "2023-12-18T06:01:25.416815Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2023-51074", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/json-path/JsonPath/issues/973", refsource: "MISC", url: "https://github.com/json-path/JsonPath/issues/973", }, ], }, }, "nvd.nist.gov": { cve: { configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:json-path:jayway_jsonpath:2.8.0:*:*:*:*:*:*:*", matchCriteriaId: "8D81ECFA-DBD4-4079-9481-327D08E8E5A0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], descriptions: [ { lang: "en", value: "json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.", }, { lang: "es", value: "Se descubrió que json-path v2.8.0 contenía un desbordamiento de pila mediante el método Criteria.parse().", }, ], id: "CVE-2023-51074", lastModified: "2024-01-11T20:01:29.860", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-27T21:15:08.253", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/json-path/JsonPath/issues/973", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }, }, }, }
wid-sec-w-2024-0351
Vulnerability from csaf_certbund
Published
2024-02-12 23:00
Modified
2024-05-30 22:00
Summary
Red Hat OpenShift und Apache Camel: Schwachstelle ermöglicht Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Apache Camel ist ein Integrations-Framework, das Enterprise Integration Patterns implementiert.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift und Apache Camel ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.\r\nApache Camel ist ein Integrations-Framework, das Enterprise Integration Patterns implementiert.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift und Apache Camel ausnutzen, um einen Denial of Service Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0351 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0351.json", }, { category: "self", summary: "WID-SEC-2024-0351 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0351", }, { category: "external", summary: "Red Hat Security Advisory vom 2024-02-12", url: "https://access.redhat.com/errata/RHSA-2024:0792", }, { category: "external", summary: "GitHub Advisory & POC", url: "https://github.com/json-path/JsonPath/issues/973", }, { category: "external", summary: "Red Hat Bugzilla – Bug 2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:2707 vom 2024-05-06", url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:3527 vom 2024-05-30", url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], source_lang: "en-US", title: "Red Hat OpenShift und Apache Camel: Schwachstelle ermöglicht Denial of Service", tracking: { current_release_date: "2024-05-30T22:00:00.000+00:00", generator: { date: "2024-08-15T18:05:06.953+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0351", initial_release_date: "2024-02-12T23:00:00.000+00:00", revision_history: [ { date: "2024-02-12T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-05-06T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-05-30T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "<4.0", product: { name: "Apache Camel <4.0", product_id: "T028461", }, }, { category: "product_version_range", name: "<3.20.5", product: { name: "Apache Camel <3.20.5", product_id: "T032694", }, }, ], category: "product_name", name: "Camel", }, ], category: "vendor", name: "Apache", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, { category: "product_name", name: "Red Hat OpenShift", product: { name: "Red Hat OpenShift", product_id: "T032693", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:-", }, }, }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-51074", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Red Hat OpenShift und Apache Camel. Dieser Fehler besteht in der Methode Criteria.parse in json-path aufgrund einer unkontrollierten Rekursion, die zu einem stapelbasierten Pufferüberlauf führt. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], product_status: { known_affected: [ "67646", "T032693", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2023-51074", }, ], }
WID-SEC-W-2024-0537
Vulnerability from csaf_certbund
Published
2024-03-03 23:00
Modified
2024-03-17 23:00
Summary
IBM Business Automation Workflow: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM Business Automation Workflow ist eine Lösung zur Automatisierung von Arbeitsabläufen.
Angriff
Ein entfernter anonymer Angreifer kann mehrere Schwachstellen in IBM Business Automation Workflow ausnutzen, um Sicherheitsmaßnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- Sonstiges
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM Business Automation Workflow ist eine Lösung zur Automatisierung von Arbeitsabläufen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter anonymer Angreifer kann mehrere Schwachstellen in IBM Business Automation Workflow ausnutzen, um Sicherheitsmaßnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.", title: "Angriff", }, { category: "general", text: "- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0537 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0537.json", }, { category: "self", summary: "WID-SEC-2024-0537 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0537", }, { category: "external", summary: "IBM Security Bulletin vom 2024-03-03", url: "https://www.ibm.com/support/pages/security-bulletin-denial-service-vulnerability-affect-ibm-business-automation-workflow-event-emitters-cve-2023-51074", }, { category: "external", summary: "IBM Security Bulletin vom 2024-03-03", url: "https://www.ibm.com/support/pages/node/7129317", }, { category: "external", summary: "IBM Security Bulletin vom 2024-03-03", url: "https://www.ibm.com/support/pages/node/7129249", }, { category: "external", summary: "IBM Security Bulletin 7142190 vom 2024-03-15", url: "https://www.ibm.com/support/pages/node/7142190", }, ], source_lang: "en-US", title: "IBM Business Automation Workflow: Mehrere Schwachstellen", tracking: { current_release_date: "2024-03-17T23:00:00.000+00:00", generator: { date: "2024-08-15T18:06:01.587+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0537", initial_release_date: "2024-03-03T23:00:00.000+00:00", revision_history: [ { date: "2024-03-03T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-03-17T23:00:00.000+00:00", number: "2", summary: "Neue Updates von IBM aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "11.0.0.1 - 11.0.0.24", product: { name: "IBM App Connect Enterprise 11.0.0.1 - 11.0.0.24", product_id: "T032331", product_identification_helper: { cpe: "cpe:/a:ibm:app_connect_enterprise:11.0.0.1_-_11.0.0.24", }, }, }, { category: "product_version", name: "12.0.1.0 - 12.0.11.1", product: { name: "IBM App Connect Enterprise 12.0.1.0 - 12.0.11.1", product_id: "T033333", product_identification_helper: { cpe: "cpe:/a:ibm:app_connect_enterprise:12.0.1.0_-_12.0.11.1", }, }, }, ], category: "product_name", name: "App Connect Enterprise", }, { branches: [ { category: "product_version_range", name: "< 23.0.2-IF002", product: { name: "IBM Business Automation Workflow < 23.0.2-IF002", product_id: "T033215", }, }, { category: "product_version_range", name: "< 21.0.3-IF030", product: { name: "IBM Business Automation Workflow < 21.0.3-IF030", product_id: "T033216", }, }, ], category: "product_name", name: "Business Automation Workflow", }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2022-46337", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in IBM Business Automation Workflow. Dieser Fehler besteht in der Apache Derby-Komponente aufgrund eines LDAP-Injektionsproblems, das es ermöglicht, sensible Daten anzuzeigen und zu beschädigen sowie sensible Datenbankfunktionen und -prozeduren auszuführen. Durch das Senden einer speziell gestalteten Anfrage kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um die Sicherheitsmaßnahmen zu umgehen.", }, ], product_status: { known_affected: [ "T032331", "T033333", ], }, release_date: "2024-03-03T23:00:00.000+00:00", title: "CVE-2022-46337", }, { cve: "CVE-2023-51074", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in IBM Business Automation Workflow. Dieser Fehler besteht in der Komponente json-path aufgrund eines stapelbasierten Pufferüberlaufproblems, das zu einer unkontrollierten Rekursion führt. Durch Senden einer speziell gestalteten Eingabe kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], product_status: { known_affected: [ "T032331", "T033333", ], }, release_date: "2024-03-03T23:00:00.000+00:00", title: "CVE-2023-51074", }, ], }
WID-SEC-W-2024-0351
Vulnerability from csaf_certbund
Published
2024-02-12 23:00
Modified
2024-05-30 22:00
Summary
Red Hat OpenShift und Apache Camel: Schwachstelle ermöglicht Denial of Service
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Apache Camel ist ein Integrations-Framework, das Enterprise Integration Patterns implementiert.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift und Apache Camel ausnutzen, um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme
- Linux
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.\r\nApache Camel ist ein Integrations-Framework, das Enterprise Integration Patterns implementiert.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift und Apache Camel ausnutzen, um einen Denial of Service Angriff durchzuführen.", title: "Angriff", }, { category: "general", text: "- Linux", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0351 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0351.json", }, { category: "self", summary: "WID-SEC-2024-0351 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0351", }, { category: "external", summary: "Red Hat Security Advisory vom 2024-02-12", url: "https://access.redhat.com/errata/RHSA-2024:0792", }, { category: "external", summary: "GitHub Advisory & POC", url: "https://github.com/json-path/JsonPath/issues/973", }, { category: "external", summary: "Red Hat Bugzilla – Bug 2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:2707 vom 2024-05-06", url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:3527 vom 2024-05-30", url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], source_lang: "en-US", title: "Red Hat OpenShift und Apache Camel: Schwachstelle ermöglicht Denial of Service", tracking: { current_release_date: "2024-05-30T22:00:00.000+00:00", generator: { date: "2024-08-15T18:05:06.953+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0351", initial_release_date: "2024-02-12T23:00:00.000+00:00", revision_history: [ { date: "2024-02-12T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-05-06T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-05-30T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Red Hat aufgenommen", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version_range", name: "<4.0", product: { name: "Apache Camel <4.0", product_id: "T028461", }, }, { category: "product_version_range", name: "<3.20.5", product: { name: "Apache Camel <3.20.5", product_id: "T032694", }, }, ], category: "product_name", name: "Camel", }, ], category: "vendor", name: "Apache", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, { category: "product_name", name: "Red Hat OpenShift", product: { name: "Red Hat OpenShift", product_id: "T032693", product_identification_helper: { cpe: "cpe:/a:redhat:openshift:-", }, }, }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-51074", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Red Hat OpenShift und Apache Camel. Dieser Fehler besteht in der Methode Criteria.parse in json-path aufgrund einer unkontrollierten Rekursion, die zu einem stapelbasierten Pufferüberlauf führt. Ein entfernter, authentifizierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], product_status: { known_affected: [ "67646", "T032693", ], }, release_date: "2024-02-12T23:00:00.000+00:00", title: "CVE-2023-51074", }, ], }
wid-sec-w-2024-0869
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-11-21 23:00
Summary
Oracle Communications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0869 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0869.json", }, { category: "self", summary: "WID-SEC-2024-0869 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0869", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Communications vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixCGBU", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:1878 vom 2024-04-18", url: "https://access.redhat.com/errata/RHSA-2024:1878", }, { category: "external", summary: "Gentoo Linux Security Advisory GLSA-202405-01 vom 2024-05-04", url: "https://security.gentoo.org/glsa/202405-01", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:7987 vom 2024-10-10", url: "https://access.redhat.com/errata/RHSA-2024:7987", }, { category: "external", summary: "XEROX Security Advisory XRX24-017 vom 2024-11-21", url: "https://securitydocs.business.xerox.com/wp-content/uploads/2024/11/Xerox-Security-Bulletin-XRX24-017-for-Xerox%C2%AE-FreeFlow%C2%AE-Print-Server-v9.pdf", }, ], source_lang: "en-US", title: "Oracle Communications: Mehrere Schwachstellen", tracking: { current_release_date: "2024-11-21T23:00:00.000+00:00", generator: { date: "2024-11-22T10:07:06.493+00:00", engine: { name: "BSI-WID", version: "1.3.8", }, }, id: "WID-SEC-W-2024-0869", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-04-17T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-05-05T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Gentoo aufgenommen", }, { date: "2024-10-10T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-11-21T23:00:00.000+00:00", number: "5", summary: "Neue Updates von XEROX aufgenommen", }, ], status: "final", version: "5", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Gentoo Linux", product: { name: "Gentoo Linux", product_id: "T012167", product_identification_helper: { cpe: "cpe:/o:gentoo:linux:-", }, }, }, ], category: "vendor", name: "Gentoo", }, { branches: [ { branches: [ { category: "product_version", name: "5", product: { name: "Oracle Communications 5.0", product_id: "T021645", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.0", }, }, }, { category: "product_version", name: "22.4.0", product: { name: "Oracle Communications 22.4.0", product_id: "T024981", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.0", }, }, }, { category: "product_version", name: "23.1.0", product: { name: "Oracle Communications 23.1.0", product_id: "T027326", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.1.0", }, }, }, { category: "product_version", name: "23.2.0", product: { name: "Oracle Communications 23.2.0", product_id: "T028682", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.2.0", }, }, }, { category: "product_version", name: "5.1", product: { name: "Oracle Communications 5.1", product_id: "T028684", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.1", }, }, }, { category: "product_version", name: "23.2.2", product: { name: "Oracle Communications 23.2.2", product_id: "T030583", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.2.2", }, }, }, { category: "product_version", name: "23.3.0", product: { name: "Oracle Communications 23.3.0", product_id: "T030586", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.3.0", }, }, }, { category: "product_version", name: "9.0.0.0", product: { name: "Oracle Communications 9.0.0.0", product_id: "T030589", product_identification_helper: { cpe: "cpe:/a:oracle:communications:9.0.0.0", }, }, }, { category: "product_version_range", name: "<=7.2.1.0.0", product: { name: "Oracle Communications <=7.2.1.0.0", product_id: "T030593", }, }, { category: "product_version_range", name: "<=7.2.1.0.0", product: { name: "Oracle Communications <=7.2.1.0.0", product_id: "T030593-fixed", }, }, { category: "product_version_range", name: "<=9.0.2", product: { name: "Oracle Communications <=9.0.2", product_id: "T030595", }, }, { category: "product_version_range", name: "<=9.0.2", product: { name: "Oracle Communications <=9.0.2", product_id: "T030595-fixed", }, }, { category: "product_version", name: "23.3.1", product: { name: "Oracle Communications 23.3.1", product_id: "T032088", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.3.1", }, }, }, { category: "product_version", name: "23.4.0", product: { name: "Oracle Communications 23.4.0", product_id: "T032091", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.4.0", }, }, }, { category: "product_version", name: "23.4.1", product: { name: "Oracle Communications 23.4.1", product_id: "T034143", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.4.1", }, }, }, { category: "product_version_range", name: "<=23.4.2", product: { name: "Oracle Communications <=23.4.2", product_id: "T034144", }, }, { category: "product_version_range", name: "<=23.4.2", product: { name: "Oracle Communications <=23.4.2", product_id: "T034144-fixed", }, }, { category: "product_version", name: "24.1.0", product: { name: "Oracle Communications 24.1.0", product_id: "T034145", product_identification_helper: { cpe: "cpe:/a:oracle:communications:24.1.0", }, }, }, { category: "product_version", name: "5.2", product: { name: "Oracle Communications 5.2", product_id: "T034146", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.2", }, }, }, { category: "product_version", name: "24.1.0.0.0", product: { name: "Oracle Communications 24.1.0.0.0", product_id: "T034147", product_identification_helper: { cpe: "cpe:/a:oracle:communications:24.1.0.0.0", }, }, }, { category: "product_version", name: "23.3.2", product: { name: "Oracle Communications 23.3.2", product_id: "T034148", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.3.2", }, }, }, { category: "product_version", name: "14.0.0.0.0", product: { name: "Oracle Communications 14.0.0.0.0", product_id: "T034149", product_identification_helper: { cpe: "cpe:/a:oracle:communications:14.0.0.0.0", }, }, }, { category: "product_version", name: "9.1.1.7.0", product: { name: "Oracle Communications 9.1.1.7.0", product_id: "T034150", product_identification_helper: { cpe: "cpe:/a:oracle:communications:9.1.1.7.0", }, }, }, ], category: "product_name", name: "Communications", }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { branches: [ { category: "product_version", name: "v9", product: { name: "Xerox FreeFlow Print Server v9", product_id: "T015632", product_identification_helper: { cpe: "cpe:/a:xerox:freeflow_print_server:v9", }, }, }, ], category: "product_name", name: "FreeFlow Print Server", }, ], category: "vendor", name: "Xerox", }, ], }, vulnerabilities: [ { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-40896", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-40896", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2023-2283", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-2283", }, { cve: "CVE-2023-31122", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-31122", }, { cve: "CVE-2023-33201", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-33201", }, { cve: "CVE-2023-34053", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-34053", }, { cve: "CVE-2023-34055", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-34055", }, { cve: "CVE-2023-4016", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-4016", }, { cve: "CVE-2023-41056", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-41056", }, { cve: "CVE-2023-43496", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-43496", }, { cve: "CVE-2023-44487", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-44487", }, { cve: "CVE-2023-45142", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-45142", }, { cve: "CVE-2023-4641", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-4641", }, { cve: "CVE-2023-46589", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-46589", }, { cve: "CVE-2023-47100", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-47100", }, { cve: "CVE-2023-4863", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-4863", }, { cve: "CVE-2023-48795", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-48795", }, { cve: "CVE-2023-49083", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-49083", }, { cve: "CVE-2023-5072", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-5072", }, { cve: "CVE-2023-51074", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-51074", }, { cve: "CVE-2023-51257", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-51257", }, { cve: "CVE-2023-51775", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-51775", }, { cve: "CVE-2023-5341", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-5341", }, { cve: "CVE-2023-5363", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-5363", }, { cve: "CVE-2023-6507", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-6507", }, { cve: "CVE-2024-1635", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-1635", }, { cve: "CVE-2024-21626", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21626", }, { cve: "CVE-2024-22201", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-22201", }, { cve: "CVE-2024-22233", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-22233", }, { cve: "CVE-2024-22257", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-22257", }, { cve: "CVE-2024-22259", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-22259", }, { cve: "CVE-2024-25062", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-25062", }, { cve: "CVE-2024-26130", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-26130", }, { cve: "CVE-2024-26308", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-26308", }, ], }
wid-sec-w-2024-0537
Vulnerability from csaf_certbund
Published
2024-03-03 23:00
Modified
2024-03-17 23:00
Summary
IBM Business Automation Workflow: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM Business Automation Workflow ist eine Lösung zur Automatisierung von Arbeitsabläufen.
Angriff
Ein entfernter anonymer Angreifer kann mehrere Schwachstellen in IBM Business Automation Workflow ausnutzen, um Sicherheitsmaßnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.
Betroffene Betriebssysteme
- Sonstiges
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "IBM Business Automation Workflow ist eine Lösung zur Automatisierung von Arbeitsabläufen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter anonymer Angreifer kann mehrere Schwachstellen in IBM Business Automation Workflow ausnutzen, um Sicherheitsmaßnahmen zu umgehen oder einen Denial-of-Service-Zustand zu verursachen.", title: "Angriff", }, { category: "general", text: "- Sonstiges", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0537 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0537.json", }, { category: "self", summary: "WID-SEC-2024-0537 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0537", }, { category: "external", summary: "IBM Security Bulletin vom 2024-03-03", url: "https://www.ibm.com/support/pages/security-bulletin-denial-service-vulnerability-affect-ibm-business-automation-workflow-event-emitters-cve-2023-51074", }, { category: "external", summary: "IBM Security Bulletin vom 2024-03-03", url: "https://www.ibm.com/support/pages/node/7129317", }, { category: "external", summary: "IBM Security Bulletin vom 2024-03-03", url: "https://www.ibm.com/support/pages/node/7129249", }, { category: "external", summary: "IBM Security Bulletin 7142190 vom 2024-03-15", url: "https://www.ibm.com/support/pages/node/7142190", }, ], source_lang: "en-US", title: "IBM Business Automation Workflow: Mehrere Schwachstellen", tracking: { current_release_date: "2024-03-17T23:00:00.000+00:00", generator: { date: "2024-08-15T18:06:01.587+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-0537", initial_release_date: "2024-03-03T23:00:00.000+00:00", revision_history: [ { date: "2024-03-03T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-03-17T23:00:00.000+00:00", number: "2", summary: "Neue Updates von IBM aufgenommen", }, ], status: "final", version: "2", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "11.0.0.1 - 11.0.0.24", product: { name: "IBM App Connect Enterprise 11.0.0.1 - 11.0.0.24", product_id: "T032331", product_identification_helper: { cpe: "cpe:/a:ibm:app_connect_enterprise:11.0.0.1_-_11.0.0.24", }, }, }, { category: "product_version", name: "12.0.1.0 - 12.0.11.1", product: { name: "IBM App Connect Enterprise 12.0.1.0 - 12.0.11.1", product_id: "T033333", product_identification_helper: { cpe: "cpe:/a:ibm:app_connect_enterprise:12.0.1.0_-_12.0.11.1", }, }, }, ], category: "product_name", name: "App Connect Enterprise", }, { branches: [ { category: "product_version_range", name: "< 23.0.2-IF002", product: { name: "IBM Business Automation Workflow < 23.0.2-IF002", product_id: "T033215", }, }, { category: "product_version_range", name: "< 21.0.3-IF030", product: { name: "IBM Business Automation Workflow < 21.0.3-IF030", product_id: "T033216", }, }, ], category: "product_name", name: "Business Automation Workflow", }, ], category: "vendor", name: "IBM", }, ], }, vulnerabilities: [ { cve: "CVE-2022-46337", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in IBM Business Automation Workflow. Dieser Fehler besteht in der Apache Derby-Komponente aufgrund eines LDAP-Injektionsproblems, das es ermöglicht, sensible Daten anzuzeigen und zu beschädigen sowie sensible Datenbankfunktionen und -prozeduren auszuführen. Durch das Senden einer speziell gestalteten Anfrage kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um die Sicherheitsmaßnahmen zu umgehen.", }, ], product_status: { known_affected: [ "T032331", "T033333", ], }, release_date: "2024-03-03T23:00:00.000+00:00", title: "CVE-2022-46337", }, { cve: "CVE-2023-51074", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in IBM Business Automation Workflow. Dieser Fehler besteht in der Komponente json-path aufgrund eines stapelbasierten Pufferüberlaufproblems, das zu einer unkontrollierten Rekursion führt. Durch Senden einer speziell gestalteten Eingabe kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen.", }, ], product_status: { known_affected: [ "T032331", "T033333", ], }, release_date: "2024-03-03T23:00:00.000+00:00", title: "CVE-2023-51074", }, ], }
WID-SEC-W-2024-0869
Vulnerability from csaf_certbund
Published
2024-04-16 22:00
Modified
2024-11-21 23:00
Summary
Oracle Communications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Communications umfasst branchenspezifische Lösungen für die Telekommunikationsbranche.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Oracle Communications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-0869 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0869.json", }, { category: "self", summary: "WID-SEC-2024-0869 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0869", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - April 2024 - Appendix Oracle Communications vom 2024-04-16", url: "https://www.oracle.com/security-alerts/cpuapr2024.html#AppendixCGBU", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:1878 vom 2024-04-18", url: "https://access.redhat.com/errata/RHSA-2024:1878", }, { category: "external", summary: "Gentoo Linux Security Advisory GLSA-202405-01 vom 2024-05-04", url: "https://security.gentoo.org/glsa/202405-01", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:7987 vom 2024-10-10", url: "https://access.redhat.com/errata/RHSA-2024:7987", }, { category: "external", summary: "XEROX Security Advisory XRX24-017 vom 2024-11-21", url: "https://securitydocs.business.xerox.com/wp-content/uploads/2024/11/Xerox-Security-Bulletin-XRX24-017-for-Xerox%C2%AE-FreeFlow%C2%AE-Print-Server-v9.pdf", }, ], source_lang: "en-US", title: "Oracle Communications: Mehrere Schwachstellen", tracking: { current_release_date: "2024-11-21T23:00:00.000+00:00", generator: { date: "2024-11-22T10:07:06.493+00:00", engine: { name: "BSI-WID", version: "1.3.8", }, }, id: "WID-SEC-W-2024-0869", initial_release_date: "2024-04-16T22:00:00.000+00:00", revision_history: [ { date: "2024-04-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-04-17T22:00:00.000+00:00", number: "2", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-05-05T22:00:00.000+00:00", number: "3", summary: "Neue Updates von Gentoo aufgenommen", }, { date: "2024-10-10T22:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-11-21T23:00:00.000+00:00", number: "5", summary: "Neue Updates von XEROX aufgenommen", }, ], status: "final", version: "5", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Gentoo Linux", product: { name: "Gentoo Linux", product_id: "T012167", product_identification_helper: { cpe: "cpe:/o:gentoo:linux:-", }, }, }, ], category: "vendor", name: "Gentoo", }, { branches: [ { branches: [ { category: "product_version", name: "5", product: { name: "Oracle Communications 5.0", product_id: "T021645", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.0", }, }, }, { category: "product_version", name: "22.4.0", product: { name: "Oracle Communications 22.4.0", product_id: "T024981", product_identification_helper: { cpe: "cpe:/a:oracle:communications:22.4.0", }, }, }, { category: "product_version", name: "23.1.0", product: { name: "Oracle Communications 23.1.0", product_id: "T027326", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.1.0", }, }, }, { category: "product_version", name: "23.2.0", product: { name: "Oracle Communications 23.2.0", product_id: "T028682", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.2.0", }, }, }, { category: "product_version", name: "5.1", product: { name: "Oracle Communications 5.1", product_id: "T028684", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.1", }, }, }, { category: "product_version", name: "23.2.2", product: { name: "Oracle Communications 23.2.2", product_id: "T030583", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.2.2", }, }, }, { category: "product_version", name: "23.3.0", product: { name: "Oracle Communications 23.3.0", product_id: "T030586", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.3.0", }, }, }, { category: "product_version", name: "9.0.0.0", product: { name: "Oracle Communications 9.0.0.0", product_id: "T030589", product_identification_helper: { cpe: "cpe:/a:oracle:communications:9.0.0.0", }, }, }, { category: "product_version_range", name: "<=7.2.1.0.0", product: { name: "Oracle Communications <=7.2.1.0.0", product_id: "T030593", }, }, { category: "product_version_range", name: "<=7.2.1.0.0", product: { name: "Oracle Communications <=7.2.1.0.0", product_id: "T030593-fixed", }, }, { category: "product_version_range", name: "<=9.0.2", product: { name: "Oracle Communications <=9.0.2", product_id: "T030595", }, }, { category: "product_version_range", name: "<=9.0.2", product: { name: "Oracle Communications <=9.0.2", product_id: "T030595-fixed", }, }, { category: "product_version", name: "23.3.1", product: { name: "Oracle Communications 23.3.1", product_id: "T032088", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.3.1", }, }, }, { category: "product_version", name: "23.4.0", product: { name: "Oracle Communications 23.4.0", product_id: "T032091", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.4.0", }, }, }, { category: "product_version", name: "23.4.1", product: { name: "Oracle Communications 23.4.1", product_id: "T034143", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.4.1", }, }, }, { category: "product_version_range", name: "<=23.4.2", product: { name: "Oracle Communications <=23.4.2", product_id: "T034144", }, }, { category: "product_version_range", name: "<=23.4.2", product: { name: "Oracle Communications <=23.4.2", product_id: "T034144-fixed", }, }, { category: "product_version", name: "24.1.0", product: { name: "Oracle Communications 24.1.0", product_id: "T034145", product_identification_helper: { cpe: "cpe:/a:oracle:communications:24.1.0", }, }, }, { category: "product_version", name: "5.2", product: { name: "Oracle Communications 5.2", product_id: "T034146", product_identification_helper: { cpe: "cpe:/a:oracle:communications:5.2", }, }, }, { category: "product_version", name: "24.1.0.0.0", product: { name: "Oracle Communications 24.1.0.0.0", product_id: "T034147", product_identification_helper: { cpe: "cpe:/a:oracle:communications:24.1.0.0.0", }, }, }, { category: "product_version", name: "23.3.2", product: { name: "Oracle Communications 23.3.2", product_id: "T034148", product_identification_helper: { cpe: "cpe:/a:oracle:communications:23.3.2", }, }, }, { category: "product_version", name: "14.0.0.0.0", product: { name: "Oracle Communications 14.0.0.0.0", product_id: "T034149", product_identification_helper: { cpe: "cpe:/a:oracle:communications:14.0.0.0.0", }, }, }, { category: "product_version", name: "9.1.1.7.0", product: { name: "Oracle Communications 9.1.1.7.0", product_id: "T034150", product_identification_helper: { cpe: "cpe:/a:oracle:communications:9.1.1.7.0", }, }, }, ], category: "product_name", name: "Communications", }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { branches: [ { category: "product_version", name: "v9", product: { name: "Xerox FreeFlow Print Server v9", product_id: "T015632", product_identification_helper: { cpe: "cpe:/a:xerox:freeflow_print_server:v9", }, }, }, ], category: "product_name", name: "FreeFlow Print Server", }, ], category: "vendor", name: "Xerox", }, ], }, vulnerabilities: [ { cve: "CVE-2022-40152", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-40152", }, { cve: "CVE-2022-40896", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-40896", }, { cve: "CVE-2022-45688", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2022-45688", }, { cve: "CVE-2023-2283", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-2283", }, { cve: "CVE-2023-31122", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-31122", }, { cve: "CVE-2023-33201", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-33201", }, { cve: "CVE-2023-34053", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-34053", }, { cve: "CVE-2023-34055", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-34055", }, { cve: "CVE-2023-4016", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-4016", }, { cve: "CVE-2023-41056", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-41056", }, { cve: "CVE-2023-43496", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-43496", }, { cve: "CVE-2023-44487", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-44487", }, { cve: "CVE-2023-45142", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-45142", }, { cve: "CVE-2023-4641", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-4641", }, { cve: "CVE-2023-46589", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-46589", }, { cve: "CVE-2023-47100", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-47100", }, { cve: "CVE-2023-4863", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-4863", }, { cve: "CVE-2023-48795", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-48795", }, { cve: "CVE-2023-49083", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-49083", }, { cve: "CVE-2023-5072", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-5072", }, { cve: "CVE-2023-51074", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-51074", }, { cve: "CVE-2023-51257", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-51257", }, { cve: "CVE-2023-51775", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-51775", }, { cve: "CVE-2023-5341", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-5341", }, { cve: "CVE-2023-5363", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-5363", }, { cve: "CVE-2023-6507", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2023-6507", }, { cve: "CVE-2024-1635", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-1635", }, { cve: "CVE-2024-21626", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-21626", }, { cve: "CVE-2024-22201", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-22201", }, { cve: "CVE-2024-22233", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-22233", }, { cve: "CVE-2024-22257", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-22257", }, { cve: "CVE-2024-22259", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-22259", }, { cve: "CVE-2024-25062", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-25062", }, { cve: "CVE-2024-26130", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-26130", }, { cve: "CVE-2024-26308", notes: [ { category: "description", text: "In Oracle Communications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T028682", "T034149", "T030586", "T034148", "T030589", "67646", "T034143", "T015632", "T012167", "T034147", "T034146", "T030583", "T034145", "T032088", "T034150", "T021645", "T032091", "T027326", "T024981", "T028684", ], last_affected: [ "T030595", "T030593", "T034144", ], }, release_date: "2024-04-16T22:00:00.000+00:00", title: "CVE-2024-26308", }, ], }
wid-sec-w-2024-1638
Vulnerability from csaf_certbund
Published
2024-07-16 22:00
Modified
2024-07-16 22:00
Summary
Oracle Financial Services Applications: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Financial Services ist eine Zusammenstellung von Anwendungen für den Finanzsektor und eine Technologiebasis zur Erfüllung von IT- und Geschäftsanforderungen.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Financial Services Applications ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.", title: "Angriff", }, { category: "general", text: "- Sonstiges\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-1638 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-1638.json", }, { category: "self", summary: "WID-SEC-2024-1638 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1638", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - July 2024 - Appendix Oracle Financial Services Applications vom 2024-07-16", url: "https://www.oracle.com/security-alerts/cpujul2024.html#AppendixIFLX", }, ], source_lang: "en-US", title: "Oracle Financial Services Applications: Mehrere Schwachstellen", tracking: { current_release_date: "2024-07-16T22:00:00.000+00:00", generator: { date: "2024-08-15T18:11:26.257+00:00", engine: { name: "BSI-WID", version: "1.3.5", }, }, id: "WID-SEC-W-2024-1638", initial_release_date: "2024-07-16T22:00:00.000+00:00", revision_history: [ { date: "2024-07-16T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "8.1.1", product: { name: "Oracle Financial Services Applications 8.1.1", product_id: "T019891", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1", }, }, }, { category: "product_version", name: "8.0.7", product: { name: "Oracle Financial Services Applications 8.0.7", product_id: "T021676", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.7", }, }, }, { category: "product_version", name: "8.0.8", product: { name: "Oracle Financial Services Applications 8.0.8", product_id: "T021677", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8", }, }, }, { category: "product_version", name: "8.1.1.1", product: { name: "Oracle Financial Services Applications 8.1.1.1", product_id: "T022835", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1.1", }, }, }, { category: "product_version", name: "8.0.8.0", product: { name: "Oracle Financial Services Applications 8.0.8.0", product_id: "T022841", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.0", }, }, }, { category: "product_version", name: "8.0.8.1", product: { name: "Oracle Financial Services Applications 8.0.8.1", product_id: "T022844", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.1", }, }, }, { category: "product_version", name: "8.0.7.3", product: { name: "Oracle Financial Services Applications 8.0.7.3", product_id: "T024989", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.7.3", }, }, }, { category: "product_version", name: "14.7.0.0.0", product: { name: "Oracle Financial Services Applications 14.7.0.0.0", product_id: "T028702", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.7.0.0.0", }, }, }, { category: "product_version", name: "8.1.2", product: { name: "Oracle Financial Services Applications 8.1.2", product_id: "T028705", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2", }, }, }, { category: "product_version", name: "8.1.2.5", product: { name: "Oracle Financial Services Applications 8.1.2.5", product_id: "T028706", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.5", }, }, }, { category: "product_version", name: "8.1.2.6", product: { name: "Oracle Financial Services Applications 8.1.2.6", product_id: "T032104", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.6", }, }, }, { category: "product_version", name: "14.5.0.0.0", product: { name: "Oracle Financial Services Applications 14.5.0.0.0", product_id: "T034160", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.5.0.0.0", }, }, }, { category: "product_version", name: "14.6.0.0.0", product: { name: "Oracle Financial Services Applications 14.6.0.0.0", product_id: "T034161", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.6.0.0.0", }, }, }, { category: "product_version", name: "2.12.0.0.0", product: { name: "Oracle Financial Services Applications 2.12.0.0.0", product_id: "T034162", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.12.0.0.0", }, }, }, { category: "product_version", name: "2.7.0.0.0", product: { name: "Oracle Financial Services Applications 2.7.0.0.0", product_id: "T034163", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.7.0.0.0", }, }, }, { category: "product_version", name: "14.4.0.0.0", product: { name: "Oracle Financial Services Applications 14.4.0.0.0", product_id: "T036215", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:14.4.0.0.0", }, }, }, { category: "product_version", name: "8.0.8.3", product: { name: "Oracle Financial Services Applications 8.0.8.3", product_id: "T036216", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.3", }, }, }, { category: "product_version", name: "8.1.2.7", product: { name: "Oracle Financial Services Applications 8.1.2.7", product_id: "T036217", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.7", }, }, }, { category: "product_version", name: "8.0.8.2.8", product: { name: "Oracle Financial Services Applications 8.0.8.2.8", product_id: "T036218", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.0.8.2.8", }, }, }, { category: "product_version", name: "8.1.1.1.18", product: { name: "Oracle Financial Services Applications 8.1.1.1.18", product_id: "T036219", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.1.1.18", }, }, }, { category: "product_version", name: "8.1.2.6.4", product: { name: "Oracle Financial Services Applications 8.1.2.6.4", product_id: "T036220", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.6.4", }, }, }, { category: "product_version", name: "8.1.2.7.3", product: { name: "Oracle Financial Services Applications 8.1.2.7.3", product_id: "T036221", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:8.1.2.7.3", }, }, }, { category: "product_version", name: "6.0.0.0.0", product: { name: "Oracle Financial Services Applications 6.0.0.0.0", product_id: "T036222", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:6.0.0.0.0", }, }, }, { category: "product_version", name: "6.1.0.0.0", product: { name: "Oracle Financial Services Applications 6.1.0.0.0", product_id: "T036223", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:6.1.0.0.0", }, }, }, { category: "product_version", name: "2.4.0.0.0", product: { name: "Oracle Financial Services Applications 2.4.0.0.0", product_id: "T036224", product_identification_helper: { cpe: "cpe:/a:oracle:financial_services_applications:2.4.0.0.0", }, }, }, ], category: "product_name", name: "Financial Services Applications", }, ], category: "vendor", name: "Oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2022-36944", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2022-36944", }, { cve: "CVE-2023-26031", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-26031", }, { cve: "CVE-2023-34055", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-34055", }, { cve: "CVE-2023-44483", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-44483", }, { cve: "CVE-2023-47248", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-47248", }, { cve: "CVE-2023-50447", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-50447", }, { cve: "CVE-2023-51074", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-51074", }, { cve: "CVE-2023-52425", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-52425", }, { cve: "CVE-2023-6129", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2023-6129", }, { cve: "CVE-2024-21188", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-21188", }, { cve: "CVE-2024-22201", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-22201", }, { cve: "CVE-2024-22262", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-22262", }, { cve: "CVE-2024-23807", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-23807", }, { cve: "CVE-2024-24549", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-24549", }, { cve: "CVE-2024-24816", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-24816", }, { cve: "CVE-2024-25062", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-25062", }, { cve: "CVE-2024-2511", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-2511", }, { cve: "CVE-2024-26308", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-26308", }, { cve: "CVE-2024-29025", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-29025", }, { cve: "CVE-2024-29133", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-29133", }, { cve: "CVE-2024-32114", notes: [ { category: "description", text: "In Oracle Financial Services Applications existieren mehrere Schwachstellen. Durch Ausnutzung dieser Schwachstellen kann ein entfernter, anonymer oder authentisierter Angreifer die Vertraulichkeit, Integrität und Verfügbarkeit gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"HIGH\" für \"Confidentiality\", \"Integrity\" und \"Availability\" über alle Schwachstellen aggregiert und bewirkt damit eine Bewertung mit dem Wert \"HOCH\" für die Schadenshöhe.", }, ], product_status: { known_affected: [ "T032104", "T036223", "T036224", "T034163", "T034162", "T019891", "T036220", "T036221", "T036222", "T021677", "T022844", "T021676", "T024989", "T028705", "T034161", "T022841", "T028706", "T034160", "T028702", "T036216", "T036217", "T036218", "T036219", "T036215", "T022835", ], }, release_date: "2024-07-16T22:00:00.000+00:00", title: "CVE-2024-32114", }, ], }
ghsa-pfh2-hfmq-phg5
Vulnerability from github
Published
2023-12-27 21:31
Modified
2024-05-15 06:51
Severity ?
Summary
json-path Out-of-bounds Write vulnerability
Details
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.
{ affected: [ { package: { ecosystem: "Maven", name: "com.jayway.jsonpath:json-path", }, ranges: [ { events: [ { introduced: "2.2.0", }, { fixed: "2.9.0", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2023-51074", ], database_specific: { cwe_ids: [ "CWE-787", ], github_reviewed: true, github_reviewed_at: "2024-01-09T19:28:14Z", nvd_published_at: "2023-12-27T21:15:08Z", severity: "MODERATE", }, details: "json-path v2.8.0 was discovered to contain a stack overflow via the `Criteria.parse()` method.", id: "GHSA-pfh2-hfmq-phg5", modified: "2024-05-15T06:51:25Z", published: "2023-12-27T21:31:01Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { type: "WEB", url: "https://github.com/json-path/JsonPath/issues/973", }, { type: "WEB", url: "https://github.com/json-path/JsonPath/commit/71a09c1193726c010917f1157ecbb069ad6c3e3b", }, { type: "PACKAGE", url: "https://github.com/json-path/JsonPath", }, { type: "WEB", url: "https://github.com/json-path/JsonPath/releases/tag/json-path-2.9.0", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", type: "CVSS_V3", }, ], summary: "json-path Out-of-bounds Write vulnerability", }
RHSA-2024:0792
Vulnerability from csaf_redhat
Published
2024-02-12 17:37
Modified
2025-03-15 04:01
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.5 release and security update
Notes
Topic
Red Hat Integration Camel for Spring Boot 3.20.5 release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for 3.20.5 is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel for Spring Boot 3.20.5 release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for 3.20.5 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nA Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:0792", url: "https://access.redhat.com/errata/RHSA-2024:0792", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0792.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.5 release and security update", tracking: { current_release_date: "2025-03-15T04:01:37+00:00", generator: { date: "2025-03-15T04:01:37+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:0792", initial_release_date: "2024-02-12T17:37:59+00:00", revision_history: [ { date: "2024-02-12T17:37:59+00:00", number: "1", summary: "Initial version", }, { date: "2024-02-12T17:37:59+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T04:01:37+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.20.5", product: { name: "RHINT Camel-Springboot 3.20.5", product_id: "RHINT Camel-Springboot 3.20.5", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.20.5", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.5", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T17:37:59+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.5", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0792", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.5", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, ], }
RHSA-2024:3527
Vulnerability from csaf_redhat
Published
2024-05-30 20:24
Modified
2025-03-15 04:02
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
* guava: insecure temporary directory creation (CVE-2023-2976)
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)\n* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)\n* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)\n* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)\n* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n* guava: insecure temporary directory creation (CVE-2023-2976)\n* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)\n* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:3527", url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "ENTMQST-5619", url: "https://issues.redhat.com/browse/ENTMQST-5619", }, { category: "external", summary: "ENTMQST-5881", url: "https://issues.redhat.com/browse/ENTMQST-5881", }, { category: "external", summary: "ENTMQST-5882", url: "https://issues.redhat.com/browse/ENTMQST-5882", }, { category: "external", summary: "ENTMQST-5883", url: "https://issues.redhat.com/browse/ENTMQST-5883", }, { category: "external", summary: "ENTMQST-5884", url: "https://issues.redhat.com/browse/ENTMQST-5884", }, { category: "external", summary: "ENTMQST-5885", url: "https://issues.redhat.com/browse/ENTMQST-5885", }, { category: "external", summary: "ENTMQST-5886", url: "https://issues.redhat.com/browse/ENTMQST-5886", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3527.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update", tracking: { current_release_date: "2025-03-15T04:02:14+00:00", generator: { date: "2025-03-15T04:02:14+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:3527", initial_release_date: "2024-05-30T20:24:46+00:00", revision_history: [ { date: "2024-05-30T20:24:46+00:00", number: "1", summary: "Initial version", }, { date: "2024-06-25T17:26:45+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T04:02:14+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.7.0", product: { name: "Red Hat AMQ Streams 2.7.0", product_id: "Red Hat AMQ Streams 2.7.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-3520", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2021-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1954559", }, ], notes: [ { category: "description", text: "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", title: "Vulnerability description", }, { category: "summary", text: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", title: "Vulnerability summary", }, { category: "other", text: "This flaw is out of support scope for Red Hat Enterprise Linux 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3520", }, { category: "external", summary: "RHBZ#1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3520", url: "https://www.cve.org/CVERecord?id=CVE-2021-3520", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", }, ], release_date: "2021-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", }, { cve: "CVE-2021-24032", cwe: { id: "CWE-281", name: "Improper Preservation of Permissions", }, discovery_date: "2021-02-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1928090", }, ], notes: [ { category: "description", text: "A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).", title: "Vulnerability description", }, { category: "summary", text: "zstd: Race condition allows attacker to access world-readable destination file", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.\n\nThis vulnerability can be considered low severity rather than moderate due to the fact that the elevated file permissions are only temporary and only exist during the compression or decompression process. Once the operation completes, the file permissions revert to their intended state, mirroring those of the input file. The risk is further minimized by the fact that the exposure window is brief, and the elevated permissions are not persistent. Additionally, the issue only arises during the processing of files, and only those with larger sizes or more involved operations would be at risk.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-24032", }, { category: "external", summary: "RHBZ#1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-24032", url: "https://www.cve.org/CVERecord?id=CVE-2021-24032", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", }, ], release_date: "2021-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "zstd: Race condition allows attacker to access world-readable destination file", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-4899", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-01-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2179864", }, ], notes: [ { category: "description", text: "A vulnerability was found in zstd. This flaw allows an attacker to supply an empty string as an argument to the command line tool to cause a buffer overrun.", title: "Vulnerability description", }, { category: "summary", text: "zstd: mysql: buffer overrun in util.c", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Moderate because a buffer overrun in Zstd can be triggered by supplying an empty string as an argument to the command-line tool. On exploitation, it could lead to application crashes or unpredictable behavior.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4899", }, { category: "external", summary: "RHBZ#2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4899", url: "https://www.cve.org/CVERecord?id=CVE-2022-4899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", }, ], release_date: "2022-07-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "zstd: mysql: buffer overrun in util.c", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, { cve: "CVE-2023-33202", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2251281", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33202", }, { category: "external", summary: "RHBZ#2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33202", url: "https://www.cve.org/CVERecord?id=CVE-2023-33202", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", }, ], release_date: "2023-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", }, { cve: "CVE-2023-43642", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241722", }, ], notes: [ { category: "description", text: "A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-43642", }, { category: "external", summary: "RHBZ#2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-43642", url: "https://www.cve.org/CVERecord?id=CVE-2023-43642", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", }, { category: "external", summary: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", url: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", }, ], release_date: "2023-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-1023", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-01-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2260840", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1023", }, { category: "external", summary: "RHBZ#2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1023", url: "https://www.cve.org/CVERecord?id=CVE-2024-1023", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/issues/5078", url: "https://github.com/eclipse-vertx/vert.x/issues/5078", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5080", url: "https://github.com/eclipse-vertx/vert.x/pull/5080", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5082", url: "https://github.com/eclipse-vertx/vert.x/pull/5082", }, ], release_date: "2024-01-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", }, { cve: "CVE-2024-1300", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2263139", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", title: "Vulnerability summary", }, { category: "other", text: "This affects only TLS servers with SNI enabled.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1300", }, { category: "external", summary: "RHBZ#2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1300", url: "https://www.cve.org/CVERecord?id=CVE-2024-1300", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", }, { category: "external", summary: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", url: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", }, ], release_date: "2024-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", }, { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2024-02-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264988", }, ], notes: [ { category: "description", text: "A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-25710", }, { category: "external", summary: "RHBZ#2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-25710", url: "https://www.cve.org/CVERecord?id=CVE-2024-25710", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2024/02/19/1", url: "http://www.openwall.com/lists/oss-security/2024/02/19/1", }, { category: "external", summary: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", url: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "No mitigation is currently available for this vulnerability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, ], }
rhsa-2024:0792
Vulnerability from csaf_redhat
Published
2024-02-12 17:37
Modified
2025-03-15 04:01
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.5 release and security update
Notes
Topic
Red Hat Integration Camel for Spring Boot 3.20.5 release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for 3.20.5 is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel for Spring Boot 3.20.5 release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for 3.20.5 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nA Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:0792", url: "https://access.redhat.com/errata/RHSA-2024:0792", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0792.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.5 release and security update", tracking: { current_release_date: "2025-03-15T04:01:37+00:00", generator: { date: "2025-03-15T04:01:37+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:0792", initial_release_date: "2024-02-12T17:37:59+00:00", revision_history: [ { date: "2024-02-12T17:37:59+00:00", number: "1", summary: "Initial version", }, { date: "2024-02-12T17:37:59+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T04:01:37+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.20.5", product: { name: "RHINT Camel-Springboot 3.20.5", product_id: "RHINT Camel-Springboot 3.20.5", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.20.5", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.5", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T17:37:59+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.5", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0792", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.5", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, ], }
RHSA-2024:2707
Vulnerability from csaf_redhat
Published
2024-05-06 14:10
Modified
2025-03-15 04:02
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel security update
Notes
Topic
Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* xnio: StackOverflowException when the chain of notifier states becomes problematically big (CVE-2023-5685)
* tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)
* guava: insecure temporary directory creation (CVE-2023-2976)
* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* xnio: StackOverflowException when the chain of notifier states becomes problematically big (CVE-2023-5685)\n\n* tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)\n\n* guava: insecure temporary directory creation (CVE-2023-2976)\n\n* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:2707", url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2215214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215214", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2241822", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2259204", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2259204", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_2707.json", }, ], title: "Red Hat Security Advisory: Red Hat Build of Apache Camel security update", tracking: { current_release_date: "2025-03-15T04:02:02+00:00", generator: { date: "2025-03-15T04:02:02+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:2707", initial_release_date: "2024-05-06T14:10:14+00:00", revision_history: [ { date: "2024-05-06T14:10:14+00:00", number: "1", summary: "Initial version", }, { date: "2024-05-06T14:10:14+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T04:02:02+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product: { name: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product_id: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product_identification_helper: { cpe: "cpe:/a:redhat:apache-camel-spring-boot:4.4.0", }, }, }, ], category: "product_family", name: "Red Hat Build of Apache Camel", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-5685", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-10-02T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241822", }, ], notes: [ { category: "description", text: "A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "xnio: StackOverflowException when the chain of notifier states becomes problematically big", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this vulnerability as an Important impact as the uncontrolled resource consumption may lead to Denial of Service (DoS). This might be intentioned by an attacker who is looking to jeopardize an environment.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-5685", }, { category: "external", summary: "RHBZ#2241822", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-5685", url: "https://www.cve.org/CVERecord?id=CVE-2023-5685", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", }, ], release_date: "2024-03-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "There is currently no mitigation available for this vulnerability. Please keep the packages up-to-date as the updates become available.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xnio: StackOverflowException when the chain of notifier states becomes problematically big", }, { cve: "CVE-2023-35116", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215214", }, ], notes: [ { category: "description", text: "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: denial of service via cylic dependencies", title: "Vulnerability summary", }, { category: "other", text: "This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-35116", }, { category: "external", summary: "RHBZ#2215214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215214", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-35116", url: "https://www.cve.org/CVERecord?id=CVE-2023-35116", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-35116", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-35116", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: denial of service via cylic dependencies", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-21733", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2024-01-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2259204", }, ], notes: [ { category: "description", text: "An information disclosure vulnerability was found in Apache Tomcat. Incomplete POST requests triggered an error response that could contain data from a previous HTTP request. This flaw allows a remote attacker to access files from another user that should be otherwise prevented by limits or authentication.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Leaking of unrelated request bodies in default error page", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux remains unaffected as the vulnerable version of Tomcat (e.g., versions 8.5.7 through 8.5.63 and 9.0.0 through 9.0.43) has not been shipped or included.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-21733", }, { category: "external", summary: "RHBZ#2259204", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2259204", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-21733", url: "https://www.cve.org/CVERecord?id=CVE-2024-21733", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-21733", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21733", }, { category: "external", summary: "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz", url: "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz", }, { category: "external", summary: "https://www.openwall.com/lists/oss-security/2024/01/19/2", url: "https://www.openwall.com/lists/oss-security/2024/01/19/2", }, ], release_date: "2024-01-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: Leaking of unrelated request bodies in default error page", }, ], }
rhsa-2024:3527
Vulnerability from csaf_redhat
Published
2024-05-30 20:24
Modified
2025-03-15 04:02
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
* guava: insecure temporary directory creation (CVE-2023-2976)
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)\n* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)\n* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)\n* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)\n* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n* guava: insecure temporary directory creation (CVE-2023-2976)\n* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)\n* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:3527", url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "ENTMQST-5619", url: "https://issues.redhat.com/browse/ENTMQST-5619", }, { category: "external", summary: "ENTMQST-5881", url: "https://issues.redhat.com/browse/ENTMQST-5881", }, { category: "external", summary: "ENTMQST-5882", url: "https://issues.redhat.com/browse/ENTMQST-5882", }, { category: "external", summary: "ENTMQST-5883", url: "https://issues.redhat.com/browse/ENTMQST-5883", }, { category: "external", summary: "ENTMQST-5884", url: "https://issues.redhat.com/browse/ENTMQST-5884", }, { category: "external", summary: "ENTMQST-5885", url: "https://issues.redhat.com/browse/ENTMQST-5885", }, { category: "external", summary: "ENTMQST-5886", url: "https://issues.redhat.com/browse/ENTMQST-5886", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3527.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update", tracking: { current_release_date: "2025-03-15T04:02:14+00:00", generator: { date: "2025-03-15T04:02:14+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:3527", initial_release_date: "2024-05-30T20:24:46+00:00", revision_history: [ { date: "2024-05-30T20:24:46+00:00", number: "1", summary: "Initial version", }, { date: "2024-06-25T17:26:45+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T04:02:14+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.7.0", product: { name: "Red Hat AMQ Streams 2.7.0", product_id: "Red Hat AMQ Streams 2.7.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-3520", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2021-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1954559", }, ], notes: [ { category: "description", text: "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", title: "Vulnerability description", }, { category: "summary", text: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", title: "Vulnerability summary", }, { category: "other", text: "This flaw is out of support scope for Red Hat Enterprise Linux 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3520", }, { category: "external", summary: "RHBZ#1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3520", url: "https://www.cve.org/CVERecord?id=CVE-2021-3520", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", }, ], release_date: "2021-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", }, { cve: "CVE-2021-24032", cwe: { id: "CWE-281", name: "Improper Preservation of Permissions", }, discovery_date: "2021-02-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1928090", }, ], notes: [ { category: "description", text: "A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).", title: "Vulnerability description", }, { category: "summary", text: "zstd: Race condition allows attacker to access world-readable destination file", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.\n\nThis vulnerability can be considered low severity rather than moderate due to the fact that the elevated file permissions are only temporary and only exist during the compression or decompression process. Once the operation completes, the file permissions revert to their intended state, mirroring those of the input file. The risk is further minimized by the fact that the exposure window is brief, and the elevated permissions are not persistent. Additionally, the issue only arises during the processing of files, and only those with larger sizes or more involved operations would be at risk.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-24032", }, { category: "external", summary: "RHBZ#1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-24032", url: "https://www.cve.org/CVERecord?id=CVE-2021-24032", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", }, ], release_date: "2021-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "zstd: Race condition allows attacker to access world-readable destination file", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-4899", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-01-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2179864", }, ], notes: [ { category: "description", text: "A vulnerability was found in zstd. This flaw allows an attacker to supply an empty string as an argument to the command line tool to cause a buffer overrun.", title: "Vulnerability description", }, { category: "summary", text: "zstd: mysql: buffer overrun in util.c", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Moderate because a buffer overrun in Zstd can be triggered by supplying an empty string as an argument to the command-line tool. On exploitation, it could lead to application crashes or unpredictable behavior.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4899", }, { category: "external", summary: "RHBZ#2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4899", url: "https://www.cve.org/CVERecord?id=CVE-2022-4899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", }, ], release_date: "2022-07-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "zstd: mysql: buffer overrun in util.c", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, { cve: "CVE-2023-33202", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2251281", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33202", }, { category: "external", summary: "RHBZ#2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33202", url: "https://www.cve.org/CVERecord?id=CVE-2023-33202", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", }, ], release_date: "2023-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", }, { cve: "CVE-2023-43642", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241722", }, ], notes: [ { category: "description", text: "A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-43642", }, { category: "external", summary: "RHBZ#2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-43642", url: "https://www.cve.org/CVERecord?id=CVE-2023-43642", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", }, { category: "external", summary: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", url: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", }, ], release_date: "2023-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-1023", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-01-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2260840", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1023", }, { category: "external", summary: "RHBZ#2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1023", url: "https://www.cve.org/CVERecord?id=CVE-2024-1023", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/issues/5078", url: "https://github.com/eclipse-vertx/vert.x/issues/5078", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5080", url: "https://github.com/eclipse-vertx/vert.x/pull/5080", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5082", url: "https://github.com/eclipse-vertx/vert.x/pull/5082", }, ], release_date: "2024-01-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", }, { cve: "CVE-2024-1300", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2263139", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", title: "Vulnerability summary", }, { category: "other", text: "This affects only TLS servers with SNI enabled.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1300", }, { category: "external", summary: "RHBZ#2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1300", url: "https://www.cve.org/CVERecord?id=CVE-2024-1300", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", }, { category: "external", summary: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", url: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", }, ], release_date: "2024-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", }, { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2024-02-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264988", }, ], notes: [ { category: "description", text: "A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-25710", }, { category: "external", summary: "RHBZ#2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-25710", url: "https://www.cve.org/CVERecord?id=CVE-2024-25710", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2024/02/19/1", url: "http://www.openwall.com/lists/oss-security/2024/02/19/1", }, { category: "external", summary: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", url: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "No mitigation is currently available for this vulnerability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, ], }
rhsa-2024_0789
Vulnerability from csaf_redhat
Published
2024-02-12 16:02
Modified
2024-12-17 22:33
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 release (RHBQ 3.2.10.Final)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Security Fix(es):
* parsson: Denial of Service due to large number parsing (CVE-2023-4043)
* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\nSecurity Fix(es):\n\n* parsson: Denial of Service due to large number parsing (CVE-2023-4043)\n\n* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)\n\n* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:0789", url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhboac&downloadType=distributions&version=4.0.x", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhboac&downloadType=distributions&version=4.0.x", }, { category: "external", summary: "2246070", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246070", }, { category: "external", summary: "2254210", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", }, { category: "external", summary: "2254594", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254594", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0789.json", }, ], title: "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 release (RHBQ 3.2.10.Final)", tracking: { current_release_date: "2024-12-17T22:33:17+00:00", generator: { date: "2024-12-17T22:33:17+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2024:0789", initial_release_date: "2024-02-12T16:02:02+00:00", revision_history: [ { date: "2024-02-12T16:02:02+00:00", number: "1", summary: "Initial version", }, { date: "2024-02-12T16:02:02+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T22:33:17+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product: { name: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product_id: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:3", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-4043", cwe: { id: "CWE-834", name: "Excessive Iteration", }, discovery_date: "2023-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2254594", }, ], notes: [ { category: "description", text: "A flaw was found in Eclipse Parsson library when processing untrusted source content. This issue may cause a Denial of Service (DoS) due to built-in support for parsing numbers with a large scale, and some cases where processing a large number may take much more time than expected.", title: "Vulnerability description", }, { category: "summary", text: "parsson: Denial of Service due to large number parsing", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as an important impact since one needs to process untrusted and if there is no sanitization a Denial of Service (DoS) may happen.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-4043", }, { category: "external", summary: "RHBZ#2254594", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254594", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-4043", url: "https://www.cve.org/CVERecord?id=CVE-2023-4043", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-4043", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-4043", }, ], release_date: "2023-11-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "workaround", details: "Avoid processing untrusted sources content in order to minimize the chance for Denial of Service attack.", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "parsson: Denial of Service due to large number parsing", }, { cve: "CVE-2023-44483", cwe: { id: "CWE-532", name: "Insertion of Sensitive Information into Log File", }, discovery_date: "2023-10-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2246070", }, ], notes: [ { category: "description", text: "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.\n", title: "Vulnerability description", }, { category: "summary", text: "santuario: Private Key disclosure in debug-log output", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-44483", }, { category: "external", summary: "RHBZ#2246070", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246070", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-44483", url: "https://www.cve.org/CVERecord?id=CVE-2023-44483", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2023/10/20/5", url: "http://www.openwall.com/lists/oss-security/2023/10/20/5", }, { category: "external", summary: "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55", url: "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55", }, ], release_date: "2023-10-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "santuario: Private Key disclosure in debug-log output", }, { cve: "CVE-2023-48795", cwe: { id: "CWE-222", name: "Truncation of Security-relevant Information", }, discovery_date: "2023-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2254210", }, ], notes: [ { category: "description", text: "A flaw was found in the SSH channel integrity. By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure channel without causing a MAC failure. For example, an attacker could disable the ping extension and thus disable the new countermeasure in OpenSSH 9.5 against keystroke timing attacks.", title: "Vulnerability description", }, { category: "summary", text: "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", title: "Vulnerability summary", }, { category: "other", text: "This CVE is classified as moderate because the attack requires an active Man-in-the-Middle (MITM) who can intercept and modify the connection's traffic at the TCP/IP layer.\n\nAlthough the attack is cryptographically innovative, its security impact is fortunately quite limited. It only allows the deletion of consecutive messages, and deleting most messages at this protocol stage prevents user authentication from proceeding, leading to a stalled connection.\n\nThe most significant identified impact is that it enables a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication begins. This allows the attacker to disable a subset of keystroke timing obfuscation features. However, there is no other observable impact on session secrecy or session integrity.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-48795", }, { category: "external", summary: "RHBZ#2254210", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-48795", url: "https://www.cve.org/CVERecord?id=CVE-2023-48795", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", }, { category: "external", summary: "https://access.redhat.com/solutions/7071748", url: "https://access.redhat.com/solutions/7071748", }, { category: "external", summary: "https://terrapin-attack.com/", url: "https://terrapin-attack.com/", }, ], release_date: "2023-12-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "workaround", details: "Update to the last version and check that client and server provide kex pseudo-algorithms indicating usage of the updated version of the protocol which is protected from the attack. If \"kex-strict-c-v00@openssh.com\" is provided by clients and \"kex-strict-s-v00@openssh.com\" is in the server's reply, no other steps are necessary.\n\nDisabling ciphers if necessary:\n\nIf \"kex-strict-c-v00@openssh.com\" is not provided by clients or \"kex-strict-s-v00@openssh.com\" is absent in the server's reply, you can disable the following ciphers and HMACs as a workaround on RHEL-8 and RHEL-9:\n\n1. chacha20-poly1305@openssh.com\n2. hmac-sha2-512-etm@openssh.com\n3. hmac-sha2-256-etm@openssh.com\n4. hmac-sha1-etm@openssh.com\n5. hmac-md5-etm@openssh.com\n\nTo do that through crypto-policies, one can apply a subpolicy with the following content:\n```\ncipher@SSH = -CHACHA20-POLY1305\nssh_etm = 0\n```\ne.g., by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy with `update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795` and restarting openssh server.\n\nOne can verify that the changes are in effect by ensuring the ciphers listed above are missing from both `/etc/crypto-policies/back-ends/openssh.config` and `/etc/crypto-policies/back-ends/opensshserver.config`.\n\nFor more details on using crypto-policies, please refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening\n\nNote that this procedure does limit the interoperability of the host and is only suggested as a temporary mitigation until the issue is fully resolved with an update.\n\nFor RHEL-7: \nWe can recommend to use strict MACs and Ciphers on RHEL7 in both files /etc/ssh/ssh_config and /etc/ssh/sshd_config.\n\nBelow strict set of Ciphers and MACs can be used as mitigation for RHEL 7.\n\n```\nCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\nMACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512\n```\n\n- For Openshift Container Platform 4:\nPlease refer the KCS[1] document for verifying the fix in RHCOS.\n\n[1] https://access.redhat.com/solutions/7071748", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, ], }
rhsa-2024_2707
Vulnerability from csaf_redhat
Published
2024-05-06 14:10
Modified
2024-12-17 04:52
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel security update
Notes
Topic
Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* xnio: StackOverflowException when the chain of notifier states becomes problematically big (CVE-2023-5685)
* tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)
* guava: insecure temporary directory creation (CVE-2023-2976)
* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* xnio: StackOverflowException when the chain of notifier states becomes problematically big (CVE-2023-5685)\n\n* tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)\n\n* guava: insecure temporary directory creation (CVE-2023-2976)\n\n* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:2707", url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2215214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215214", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2241822", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2259204", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2259204", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_2707.json", }, ], title: "Red Hat Security Advisory: Red Hat Build of Apache Camel security update", tracking: { current_release_date: "2024-12-17T04:52:54+00:00", generator: { date: "2024-12-17T04:52:54+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2024:2707", initial_release_date: "2024-05-06T14:10:14+00:00", revision_history: [ { date: "2024-05-06T14:10:14+00:00", number: "1", summary: "Initial version", }, { date: "2024-05-06T14:10:14+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T04:52:54+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product: { name: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product_id: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product_identification_helper: { cpe: "cpe:/a:redhat:apache-camel-spring-boot:4.4.0", }, }, }, ], category: "product_family", name: "Red Hat Build of Apache Camel", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-5685", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-10-02T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241822", }, ], notes: [ { category: "description", text: "A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "xnio: StackOverflowException when the chain of notifier states becomes problematically big", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this vulnerability as an Important impact as the uncontrolled resource consumption may lead to Denial of Service (DoS). This might be intentioned by an attacker who is looking to jeopardize an environment.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-5685", }, { category: "external", summary: "RHBZ#2241822", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-5685", url: "https://www.cve.org/CVERecord?id=CVE-2023-5685", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", }, ], release_date: "2024-03-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "There is currently no mitigation available for this vulnerability. Please keep the packages up-to-date as the updates become available.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xnio: StackOverflowException when the chain of notifier states becomes problematically big", }, { cve: "CVE-2023-35116", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215214", }, ], notes: [ { category: "description", text: "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: denial of service via cylic dependencies", title: "Vulnerability summary", }, { category: "other", text: "This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-35116", }, { category: "external", summary: "RHBZ#2215214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215214", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-35116", url: "https://www.cve.org/CVERecord?id=CVE-2023-35116", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-35116", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-35116", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: denial of service via cylic dependencies", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-21733", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2024-01-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2259204", }, ], notes: [ { category: "description", text: "An information disclosure vulnerability was found in Apache Tomcat. Incomplete POST requests triggered an error response that could contain data from a previous HTTP request. This flaw allows a remote attacker to access files from another user that should be otherwise prevented by limits or authentication.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Leaking of unrelated request bodies in default error page", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux remains unaffected as the vulnerable version of Tomcat (e.g., versions 8.5.7 through 8.5.63 and 9.0.0 through 9.0.43) has not been shipped or included.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-21733", }, { category: "external", summary: "RHBZ#2259204", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2259204", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-21733", url: "https://www.cve.org/CVERecord?id=CVE-2024-21733", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-21733", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21733", }, { category: "external", summary: "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz", url: "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz", }, { category: "external", summary: "https://www.openwall.com/lists/oss-security/2024/01/19/2", url: "https://www.openwall.com/lists/oss-security/2024/01/19/2", }, ], release_date: "2024-01-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: Leaking of unrelated request bodies in default error page", }, ], }
rhsa-2024:2707
Vulnerability from csaf_redhat
Published
2024-05-06 14:10
Modified
2025-03-15 04:02
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel security update
Notes
Topic
Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* xnio: StackOverflowException when the chain of notifier states becomes problematically big (CVE-2023-5685)
* tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)
* guava: insecure temporary directory creation (CVE-2023-2976)
* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat build of Apache Camel 4.4.0 for Spring Boot release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* xnio: StackOverflowException when the chain of notifier states becomes problematically big (CVE-2023-5685)\n\n* tomcat: Leaking of unrelated request bodies in default error page (CVE-2024-21733)\n\n* guava: insecure temporary directory creation (CVE-2023-2976)\n\n* jackson-databind: denial of service via cylic dependencies (CVE-2023-35116)\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:2707", url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2215214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215214", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2241822", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2259204", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2259204", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_2707.json", }, ], title: "Red Hat Security Advisory: Red Hat Build of Apache Camel security update", tracking: { current_release_date: "2025-03-15T04:02:02+00:00", generator: { date: "2025-03-15T04:02:02+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:2707", initial_release_date: "2024-05-06T14:10:14+00:00", revision_history: [ { date: "2024-05-06T14:10:14+00:00", number: "1", summary: "Initial version", }, { date: "2024-05-06T14:10:14+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-15T04:02:02+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product: { name: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product_id: "Red Hat build of Apache Camel 4.4.0 for Spring Boot", product_identification_helper: { cpe: "cpe:/a:redhat:apache-camel-spring-boot:4.4.0", }, }, }, ], category: "product_family", name: "Red Hat Build of Apache Camel", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-5685", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-10-02T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241822", }, ], notes: [ { category: "description", text: "A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "xnio: StackOverflowException when the chain of notifier states becomes problematically big", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this vulnerability as an Important impact as the uncontrolled resource consumption may lead to Denial of Service (DoS). This might be intentioned by an attacker who is looking to jeopardize an environment.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-5685", }, { category: "external", summary: "RHBZ#2241822", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241822", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-5685", url: "https://www.cve.org/CVERecord?id=CVE-2023-5685", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-5685", }, ], release_date: "2024-03-05T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "There is currently no mitigation available for this vulnerability. Please keep the packages up-to-date as the updates become available.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xnio: StackOverflowException when the chain of notifier states becomes problematically big", }, { cve: "CVE-2023-35116", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215214", }, ], notes: [ { category: "description", text: "jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: denial of service via cylic dependencies", title: "Vulnerability summary", }, { category: "other", text: "This CVE is disputed by the component developers and is under reconsideration by NIST. As such, it should be excluded from scanning utilities or other compliance systems until the dispute is finalized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-35116", }, { category: "external", summary: "RHBZ#2215214", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215214", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-35116", url: "https://www.cve.org/CVERecord?id=CVE-2023-35116", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-35116", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-35116", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "jackson-databind should not be used to deserialize untrusted inputs. User inputs should be validated and sanitized before processing.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jackson-databind: denial of service via cylic dependencies", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-21733", cwe: { id: "CWE-209", name: "Generation of Error Message Containing Sensitive Information", }, discovery_date: "2024-01-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2259204", }, ], notes: [ { category: "description", text: "An information disclosure vulnerability was found in Apache Tomcat. Incomplete POST requests triggered an error response that could contain data from a previous HTTP request. This flaw allows a remote attacker to access files from another user that should be otherwise prevented by limits or authentication.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Leaking of unrelated request bodies in default error page", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Enterprise Linux remains unaffected as the vulnerable version of Tomcat (e.g., versions 8.5.7 through 8.5.63 and 9.0.0 through 9.0.43) has not been shipped or included.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-21733", }, { category: "external", summary: "RHBZ#2259204", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2259204", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-21733", url: "https://www.cve.org/CVERecord?id=CVE-2024-21733", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-21733", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21733", }, { category: "external", summary: "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz", url: "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz", }, { category: "external", summary: "https://www.openwall.com/lists/oss-security/2024/01/19/2", url: "https://www.openwall.com/lists/oss-security/2024/01/19/2", }, ], release_date: "2024-01-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-06T14:10:14+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:2707", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat build of Apache Camel 4.4.0 for Spring Boot", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: Leaking of unrelated request bodies in default error page", }, ], }
rhsa-2024_3527
Vulnerability from csaf_redhat
Published
2024-05-30 20:24
Modified
2024-12-17 08:36
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update
Notes
Topic
Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)
* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)
* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)
* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)
* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)
* apache-commons-text: variable interpolation RCE (CVE-2022-42889)
* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
* guava: insecure temporary directory creation (CVE-2023-2976)
* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)
* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 2.7.0 serves as a replacement for Red Hat AMQ Streams 2.6.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)\n* zstd: Race condition allows attacker to access world-readable destination file (CVE-2021-24032)\n* RocksDB: zstd: mysql: buffer overrun in util.c (CVE-2022-4899)\n* netty-codec-http: Allocation of Resources Without Limits or Throttling (CVE-2024-29025)\n* commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file (CVE-2024-25710)\n* apache-commons-text: variable interpolation RCE (CVE-2022-42889)\n* snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact (CVE-2023-43642)\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)\n* protobuf-java: timeout in parser leads to DoS (CVE-2022-3171)\n* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)\n* bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class (CVE-2023-33202)\n* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n* guava: insecure temporary directory creation (CVE-2023-2976)\n* io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support (CVE-2024-1300)\n* io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx (CVE-2024-1023)\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:3527", url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "ENTMQST-5619", url: "https://issues.redhat.com/browse/ENTMQST-5619", }, { category: "external", summary: "ENTMQST-5881", url: "https://issues.redhat.com/browse/ENTMQST-5881", }, { category: "external", summary: "ENTMQST-5882", url: "https://issues.redhat.com/browse/ENTMQST-5882", }, { category: "external", summary: "ENTMQST-5883", url: "https://issues.redhat.com/browse/ENTMQST-5883", }, { category: "external", summary: "ENTMQST-5884", url: "https://issues.redhat.com/browse/ENTMQST-5884", }, { category: "external", summary: "ENTMQST-5885", url: "https://issues.redhat.com/browse/ENTMQST-5885", }, { category: "external", summary: "ENTMQST-5886", url: "https://issues.redhat.com/browse/ENTMQST-5886", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_3527.json", }, ], title: "Red Hat Security Advisory: Red Hat AMQ Streams 2.7.0 release and security update", tracking: { current_release_date: "2024-12-17T08:36:55+00:00", generator: { date: "2024-12-17T08:36:55+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2024:3527", initial_release_date: "2024-05-30T20:24:46+00:00", revision_history: [ { date: "2024-05-30T20:24:46+00:00", number: "1", summary: "Initial version", }, { date: "2024-06-25T17:26:45+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T08:36:55+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat AMQ Streams 2.7.0", product: { name: "Red Hat AMQ Streams 2.7.0", product_id: "Red Hat AMQ Streams 2.7.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2021-3520", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2021-03-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1954559", }, ], notes: [ { category: "description", text: "There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.", title: "Vulnerability description", }, { category: "summary", text: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", title: "Vulnerability summary", }, { category: "other", text: "This flaw is out of support scope for Red Hat Enterprise Linux 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-3520", }, { category: "external", summary: "RHBZ#1954559", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1954559", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-3520", url: "https://www.cve.org/CVERecord?id=CVE-2021-3520", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-3520", }, ], release_date: "2021-04-28T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "lz4: memory corruption due to an integer overflow bug caused by memmove argument", }, { cve: "CVE-2021-24032", cwe: { id: "CWE-281", name: "Improper Preservation of Permissions", }, discovery_date: "2021-02-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1928090", }, ], notes: [ { category: "description", text: "A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).", title: "Vulnerability description", }, { category: "summary", text: "zstd: Race condition allows attacker to access world-readable destination file", title: "Vulnerability summary", }, { category: "other", text: "In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2021-24032", }, { category: "external", summary: "RHBZ#1928090", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1928090", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2021-24032", url: "https://www.cve.org/CVERecord?id=CVE-2021-24032", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", url: "https://nvd.nist.gov/vuln/detail/CVE-2021-24032", }, ], release_date: "2021-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "zstd: Race condition allows attacker to access world-readable destination file", }, { cve: "CVE-2022-3171", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2022-10-18T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2137645", }, ], notes: [ { category: "description", text: "A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", title: "Vulnerability description", }, { category: "summary", text: "protobuf-java: timeout in parser leads to DoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-3171", }, { category: "external", summary: "RHBZ#2137645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2137645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-3171", url: "https://www.cve.org/CVERecord?id=CVE-2022-3171", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-3171", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", url: "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2", }, ], release_date: "2022-10-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "protobuf-java: timeout in parser leads to DoS", }, { cve: "CVE-2022-4899", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-01-31T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2179864", }, ], notes: [ { category: "description", text: "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", title: "Vulnerability description", }, { category: "summary", text: "zstd: mysql: buffer overrun in util.c", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-4899", }, { category: "external", summary: "RHBZ#2179864", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2179864", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-4899", url: "https://www.cve.org/CVERecord?id=CVE-2022-4899", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-4899", }, ], release_date: "2022-07-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "zstd: mysql: buffer overrun in util.c", }, { cve: "CVE-2022-42889", cwe: { id: "CWE-1188", name: "Initialization of a Resource with an Insecure Default", }, discovery_date: "2022-10-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2135435", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-text: variable interpolation RCE", title: "Vulnerability summary", }, { category: "other", text: "In order to carry successful exploitation of this vulnerability, the following conditions must be in place on the affected target:\n - Usage of specific methods that interpolate the variables as described in the flaw\n - Usage of external input for those methods\n - Usage of that external input has to be unsanitized/no \"allow list\"/etc.\n\nThe following products have *Low* impact because they have maven references to the affected package but do not ship it nor use the code:\n- Red Hat EAP Expansion Pack (EAP-XP)\n- Red Hat Camel-K\n- Red Hat Camel-Quarkus\n\nRed Hat Satellite ships Candlepin that embeds Apache Commons Text, however, it is not vulnerable to the flaw since the library has not been exposed in the product code. In Candlepin, the Commons Text is being pulled for the Liquibase and ActiveMQ Artemis libraries as a dependency. Red Hat Product Security has evaluated and rated the impact of the flaw as Low for Satellite since there was no harm identified to the confidentiality, integrity, or availability of systems.\n\n- The OCP has a *Moderate* impact because the affected library is a third-party library in the OCP jenkins-2-plugin component which reduces the possibilities of successful exploitation.\n- The OCP-4.8 is affected by this CVE and is in an extended life phase. For versions of products in the Extended Life Phase, Red Hat will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42889", }, { category: "external", summary: "RHBZ#2135435", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2135435", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42889", url: "https://www.cve.org/CVERecord?id=CVE-2022-42889", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42889", }, { category: "external", summary: "https://blogs.apache.org/security/entry/cve-2022-42889", url: "https://blogs.apache.org/security/entry/cve-2022-42889", }, { category: "external", summary: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { category: "external", summary: "https://seclists.org/oss-sec/2022/q4/22", url: "https://seclists.org/oss-sec/2022/q4/22", }, ], release_date: "2022-10-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "This flaw may be avoided by ensuring that any external inputs used with the Commons-Text lookup methods are sanitized properly. Untrusted input should always be thoroughly sanitized before using in any potentially risky situations.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Critical", }, ], title: "apache-commons-text: variable interpolation RCE", }, { cve: "CVE-2022-42920", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, discovery_date: "2022-11-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2142707", }, ], notes: [ { category: "description", text: "An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.", title: "Vulnerability description", }, { category: "summary", text: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", title: "Vulnerability summary", }, { category: "other", text: "Fuse 7 ships the code in question but does not utilize it in the product, so it is affected at a reduced impact of Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2022-42920", }, { category: "external", summary: "RHBZ#2142707", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2142707", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2022-42920", url: "https://www.cve.org/CVERecord?id=CVE-2022-42920", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-42920", }, { category: "external", summary: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", url: "https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4", }, ], release_date: "2022-11-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing", }, { cve: "CVE-2023-1370", cwe: { id: "CWE-674", name: "Uncontrolled Recursion", }, discovery_date: "2023-04-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2188542", }, ], notes: [ { category: "description", text: "A flaw was found in the json-smart package. This security flaw occurs when reaching a ‘[‘ or ‘{‘ character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.", title: "Vulnerability description", }, { category: "summary", text: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-1370", }, { category: "external", summary: "RHBZ#2188542", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2188542", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-1370", url: "https://www.cve.org/CVERecord?id=CVE-2023-1370", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-1370", }, { category: "external", summary: "https://github.com/advisories/GHSA-493p-pfq6-5258", url: "https://github.com/advisories/GHSA-493p-pfq6-5258", }, { category: "external", summary: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", url: "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/", }, ], release_date: "2023-03-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)", }, { cve: "CVE-2023-2976", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2023-06-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215229", }, ], notes: [ { category: "description", text: "A flaw was found in Guava. The methodology for temporary directories and files can allow other local users or apps with accordant permissions to access the temp files, possibly leading to information exposure or tampering in the files created in the directory.", title: "Vulnerability description", }, { category: "summary", text: "guava: insecure temporary directory creation", title: "Vulnerability summary", }, { category: "other", text: "Red Hat Single Sign-On 7 ships the affected component as a layered product of Red Hat JBoss Enterprise Application 7, and as such is affected by this flaw. However, Single Sign-On 7 does not use the affected code and is not vulnerable to exploit.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-2976", }, { category: "external", summary: "RHBZ#2215229", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215229", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-2976", url: "https://www.cve.org/CVERecord?id=CVE-2023-2976", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-2976", }, ], release_date: "2023-06-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Temp files should be created with sufficiently non-predictable names and in a secure-permissioned, dedicated temp folder.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "guava: insecure temporary directory creation", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, discovery_date: "2023-06-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2215465", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.", title: "Vulnerability description", }, { category: "summary", text: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33201", }, { category: "external", summary: "RHBZ#2215465", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2215465", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33201", url: "https://www.cve.org/CVERecord?id=CVE-2023-33201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33201", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201", }, ], release_date: "2023-06-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bouncycastle: potential blind LDAP injection attack using a self-signed certificate", }, { cve: "CVE-2023-33202", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2023-11-23T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2251281", }, ], notes: [ { category: "description", text: "A flaw was found in Bouncy Castle for the Java pkix module, which is vulnerable to a potential Denial of Service (DoS) issue within the org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.", title: "Vulnerability description", }, { category: "summary", text: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-33202", }, { category: "external", summary: "RHBZ#2251281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2251281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-33202", url: "https://www.cve.org/CVERecord?id=CVE-2023-33202", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-33202", }, { category: "external", summary: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", url: "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202", }, ], release_date: "2023-11-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "bc-java: Out of memory while parsing ASN.1 crafted data in org.bouncycastle.openssl.PEMParser class", }, { cve: "CVE-2023-43642", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2023-09-26T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2241722", }, ], notes: [ { category: "description", text: "A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-43642", }, { category: "external", summary: "RHBZ#2241722", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2241722", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-43642", url: "https://www.cve.org/CVERecord?id=CVE-2023-43642", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-43642", }, { category: "external", summary: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", url: "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", }, ], release_date: "2023-09-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "snappy-java: Missing upper bound check on chunk length in snappy-java can lead to Denial of Service (DoS) impact", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, { cve: "CVE-2024-1023", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-01-29T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2260840", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1023", }, { category: "external", summary: "RHBZ#2260840", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2260840", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1023", url: "https://www.cve.org/CVERecord?id=CVE-2024-1023", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1023", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/issues/5078", url: "https://github.com/eclipse-vertx/vert.x/issues/5078", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5080", url: "https://github.com/eclipse-vertx/vert.x/pull/5080", }, { category: "external", summary: "https://github.com/eclipse-vertx/vert.x/pull/5082", url: "https://github.com/eclipse-vertx/vert.x/pull/5082", }, ], release_date: "2024-01-26T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx/vertx-core: memory leak due to the use of Netty FastThreadLocal data structures in Vertx", }, { cve: "CVE-2024-1300", cwe: { id: "CWE-401", name: "Missing Release of Memory after Effective Lifetime", }, discovery_date: "2024-02-07T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2263139", }, ], notes: [ { category: "description", text: "A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.", title: "Vulnerability description", }, { category: "summary", text: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", title: "Vulnerability summary", }, { category: "other", text: "This affects only TLS servers with SNI enabled.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-1300", }, { category: "external", summary: "RHBZ#2263139", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2263139", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-1300", url: "https://www.cve.org/CVERecord?id=CVE-2024-1300", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1300", }, { category: "external", summary: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", url: "https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.", }, ], release_date: "2024-02-06T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "io.vertx:vertx-core: memory leak when a TCP server is configured with TLS and SNI support", }, { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-25710", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, discovery_date: "2024-02-19T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2264988", }, ], notes: [ { category: "description", text: "A loop with an unreachable exit condition (Infinite Loop) vulnerability was found in Apache Common Compress. This issue can lead to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-25710", }, { category: "external", summary: "RHBZ#2264988", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264988", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-25710", url: "https://www.cve.org/CVERecord?id=CVE-2024-25710", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25710", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2024/02/19/1", url: "http://www.openwall.com/lists/oss-security/2024/02/19/1", }, { category: "external", summary: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", url: "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf", }, ], release_date: "2024-02-19T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "No mitigation is currently available for this vulnerability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "commons-compress: Denial of service caused by an infinite loop for a corrupted DUMP file", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat AMQ Streams 2.7.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-05-30T20:24:46+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:3527", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat AMQ Streams 2.7.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Red Hat AMQ Streams 2.7.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, ], }
rhsa-2024_0792
Vulnerability from csaf_redhat
Published
2024-02-12 17:37
Modified
2024-11-15 17:41
Summary
Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.5 release and security update
Notes
Topic
Red Hat Integration Camel for Spring Boot 3.20.5 release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A security update for 3.20.5 is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat Integration Camel for Spring Boot 3.20.5 release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "A security update for 3.20.5 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nA Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:0792", url: "https://access.redhat.com/errata/RHSA-2024:0792", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0792.json", }, ], title: "Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.5 release and security update", tracking: { current_release_date: "2024-11-15T17:41:42+00:00", generator: { date: "2024-11-15T17:41:42+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2024:0792", initial_release_date: "2024-02-12T17:37:59+00:00", revision_history: [ { date: "2024-02-12T17:37:59+00:00", number: "1", summary: "Initial version", }, { date: "2024-02-12T17:37:59+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-15T17:41:42+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHINT Camel-Springboot 3.20.5", product: { name: "RHINT Camel-Springboot 3.20.5", product_id: "RHINT Camel-Springboot 3.20.5", product_identification_helper: { cpe: "cpe:/a:redhat:camel_spring_boot:3.20.5", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHINT Camel-Springboot 3.20.5", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T17:37:59+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "RHINT Camel-Springboot 3.20.5", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0792", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHINT Camel-Springboot 3.20.5", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, ], }
rhsa-2024:0789
Vulnerability from csaf_redhat
Published
2024-02-12 16:02
Modified
2025-03-20 14:51
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 release (RHBQ 3.2.10.Final)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Security Fix(es):
* parsson: Denial of Service due to large number parsing (CVE-2023-4043)
* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\nSecurity Fix(es):\n\n* parsson: Denial of Service due to large number parsing (CVE-2023-4043)\n\n* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)\n\n* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:0789", url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhboac&downloadType=distributions&version=4.0.x", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhboac&downloadType=distributions&version=4.0.x", }, { category: "external", summary: "2246070", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246070", }, { category: "external", summary: "2254210", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", }, { category: "external", summary: "2254594", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254594", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0789.json", }, ], title: "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 release (RHBQ 3.2.10.Final)", tracking: { current_release_date: "2025-03-20T14:51:22+00:00", generator: { date: "2025-03-20T14:51:22+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:0789", initial_release_date: "2024-02-12T16:02:02+00:00", revision_history: [ { date: "2024-02-12T16:02:02+00:00", number: "1", summary: "Initial version", }, { date: "2024-02-12T16:02:02+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-20T14:51:22+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product: { name: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product_id: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:3", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-4043", cwe: { id: "CWE-834", name: "Excessive Iteration", }, discovery_date: "2023-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2254594", }, ], notes: [ { category: "description", text: "A flaw was found in Eclipse Parsson library when processing untrusted source content. This issue may cause a Denial of Service (DoS) due to built-in support for parsing numbers with a large scale, and some cases where processing a large number may take much more time than expected.", title: "Vulnerability description", }, { category: "summary", text: "parsson: Denial of Service due to large number parsing", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as an important impact since one needs to process untrusted and if there is no sanitization a Denial of Service (DoS) may happen.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-4043", }, { category: "external", summary: "RHBZ#2254594", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254594", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-4043", url: "https://www.cve.org/CVERecord?id=CVE-2023-4043", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-4043", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-4043", }, ], release_date: "2023-11-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "workaround", details: "Avoid processing untrusted sources content in order to minimize the chance for Denial of Service attack.", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "parsson: Denial of Service due to large number parsing", }, { cve: "CVE-2023-44483", cwe: { id: "CWE-532", name: "Insertion of Sensitive Information into Log File", }, discovery_date: "2023-10-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2246070", }, ], notes: [ { category: "description", text: "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.", title: "Vulnerability description", }, { category: "summary", text: "santuario: Private Key disclosure in debug-log output", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-44483", }, { category: "external", summary: "RHBZ#2246070", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246070", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-44483", url: "https://www.cve.org/CVERecord?id=CVE-2023-44483", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2023/10/20/5", url: "http://www.openwall.com/lists/oss-security/2023/10/20/5", }, { category: "external", summary: "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55", url: "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55", }, ], release_date: "2023-10-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "santuario: Private Key disclosure in debug-log output", }, { cve: "CVE-2023-48795", cwe: { id: "CWE-222", name: "Truncation of Security-relevant Information", }, discovery_date: "2023-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2254210", }, ], notes: [ { category: "description", text: "A flaw was found in the SSH channel integrity. By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure channel without causing a MAC failure. For example, an attacker could disable the ping extension and thus disable the new countermeasure in OpenSSH 9.5 against keystroke timing attacks.", title: "Vulnerability description", }, { category: "summary", text: "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", title: "Vulnerability summary", }, { category: "other", text: "This CVE is classified as moderate because the attack requires an active Man-in-the-Middle (MITM) who can intercept and modify the connection's traffic at the TCP/IP layer.\n\nAlthough the attack is cryptographically innovative, its security impact is fortunately quite limited. It only allows the deletion of consecutive messages, and deleting most messages at this protocol stage prevents user authentication from proceeding, leading to a stalled connection.\n\nThe most significant identified impact is that it enables a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication begins. This allows the attacker to disable a subset of keystroke timing obfuscation features. However, there is no other observable impact on session secrecy or session integrity.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-48795", }, { category: "external", summary: "RHBZ#2254210", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-48795", url: "https://www.cve.org/CVERecord?id=CVE-2023-48795", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", }, { category: "external", summary: "https://access.redhat.com/solutions/7071748", url: "https://access.redhat.com/solutions/7071748", }, { category: "external", summary: "https://terrapin-attack.com/", url: "https://terrapin-attack.com/", }, ], release_date: "2023-12-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "workaround", details: "Update to the last version and check that client and server provide kex pseudo-algorithms indicating usage of the updated version of the protocol which is protected from the attack. If \"kex-strict-c-v00@openssh.com\" is provided by clients and \"kex-strict-s-v00@openssh.com\" is in the server's reply, no other steps are necessary.\n\nDisabling ciphers if necessary:\n\nIf \"kex-strict-c-v00@openssh.com\" is not provided by clients or \"kex-strict-s-v00@openssh.com\" is absent in the server's reply, you can disable the following ciphers and HMACs as a workaround on RHEL-8 and RHEL-9:\n\n1. chacha20-poly1305@openssh.com\n2. hmac-sha2-512-etm@openssh.com\n3. hmac-sha2-256-etm@openssh.com\n4. hmac-sha1-etm@openssh.com\n5. hmac-md5-etm@openssh.com\n\nTo do that through crypto-policies, one can apply a subpolicy with the following content:\n```\ncipher@SSH = -CHACHA20-POLY1305\nssh_etm = 0\n```\ne.g., by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy with `update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795` and restarting openssh server.\n\nOne can verify that the changes are in effect by ensuring the ciphers listed above are missing from both `/etc/crypto-policies/back-ends/openssh.config` and `/etc/crypto-policies/back-ends/opensshserver.config`.\n\nFor more details on using crypto-policies, please refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening\n\nNote that this procedure does limit the interoperability of the host and is only suggested as a temporary mitigation until the issue is fully resolved with an update.\n\nFor RHEL-7: \nWe can recommend to use strict MACs and Ciphers on RHEL7 in both files /etc/ssh/ssh_config and /etc/ssh/sshd_config.\n\nBelow strict set of Ciphers and MACs can be used as mitigation for RHEL 7.\n\n```\nCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\nMACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512\n```\n\n- For Openshift Container Platform 4:\nPlease refer the KCS[1] document for verifying the fix in RHCOS.\n\n[1] https://access.redhat.com/solutions/7071748", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, ], }
RHSA-2024:0789
Vulnerability from csaf_redhat
Published
2024-02-12 16:02
Modified
2025-03-20 14:51
Summary
Red Hat Security Advisory: Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 release (RHBQ 3.2.10.Final)
Notes
Topic
An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final).
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Security Fix(es):
* parsson: Denial of Service due to large number parsing (CVE-2023-4043)
* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)
* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)
* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final).\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "An update for Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 is now available (updates to RHBQ 3.2.10.Final). The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\nSecurity Fix(es):\n\n* parsson: Denial of Service due to large number parsing (CVE-2023-4043)\n\n* santuario: Private Key disclosure in debug-log output (CVE-2023-44483)\n\n* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)\n\n* json-path: stack-based buffer overflow in Criteria.parse method (CVE-2023-51074)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:0789", url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhboac&downloadType=distributions&version=4.0.x", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=rhboac&downloadType=distributions&version=4.0.x", }, { category: "external", summary: "2246070", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246070", }, { category: "external", summary: "2254210", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", }, { category: "external", summary: "2254594", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254594", }, { category: "external", summary: "2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_0789.json", }, ], title: "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.0 for Quarkus 3.2 release (RHBQ 3.2.10.Final)", tracking: { current_release_date: "2025-03-20T14:51:22+00:00", generator: { date: "2025-03-20T14:51:22+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:0789", initial_release_date: "2024-02-12T16:02:02+00:00", revision_history: [ { date: "2024-02-12T16:02:02+00:00", number: "1", summary: "Initial version", }, { date: "2024-02-12T16:02:02+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-20T14:51:22+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product: { name: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product_id: "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", product_identification_helper: { cpe: "cpe:/a:redhat:camel_quarkus:3", }, }, }, ], category: "product_family", name: "Red Hat Integration", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-4043", cwe: { id: "CWE-834", name: "Excessive Iteration", }, discovery_date: "2023-12-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2254594", }, ], notes: [ { category: "description", text: "A flaw was found in Eclipse Parsson library when processing untrusted source content. This issue may cause a Denial of Service (DoS) due to built-in support for parsing numbers with a large scale, and some cases where processing a large number may take much more time than expected.", title: "Vulnerability description", }, { category: "summary", text: "parsson: Denial of Service due to large number parsing", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as an important impact since one needs to process untrusted and if there is no sanitization a Denial of Service (DoS) may happen.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-4043", }, { category: "external", summary: "RHBZ#2254594", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254594", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-4043", url: "https://www.cve.org/CVERecord?id=CVE-2023-4043", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-4043", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-4043", }, ], release_date: "2023-11-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "workaround", details: "Avoid processing untrusted sources content in order to minimize the chance for Denial of Service attack.", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "parsson: Denial of Service due to large number parsing", }, { cve: "CVE-2023-44483", cwe: { id: "CWE-532", name: "Insertion of Sensitive Information into Log File", }, discovery_date: "2023-10-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2246070", }, ], notes: [ { category: "description", text: "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.", title: "Vulnerability description", }, { category: "summary", text: "santuario: Private Key disclosure in debug-log output", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-44483", }, { category: "external", summary: "RHBZ#2246070", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2246070", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-44483", url: "https://www.cve.org/CVERecord?id=CVE-2023-44483", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", }, { category: "external", summary: "http://www.openwall.com/lists/oss-security/2023/10/20/5", url: "http://www.openwall.com/lists/oss-security/2023/10/20/5", }, { category: "external", summary: "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55", url: "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55", }, ], release_date: "2023-10-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "santuario: Private Key disclosure in debug-log output", }, { cve: "CVE-2023-48795", cwe: { id: "CWE-222", name: "Truncation of Security-relevant Information", }, discovery_date: "2023-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2254210", }, ], notes: [ { category: "description", text: "A flaw was found in the SSH channel integrity. By manipulating sequence numbers during the handshake, an attacker can remove the initial messages on the secure channel without causing a MAC failure. For example, an attacker could disable the ping extension and thus disable the new countermeasure in OpenSSH 9.5 against keystroke timing attacks.", title: "Vulnerability description", }, { category: "summary", text: "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", title: "Vulnerability summary", }, { category: "other", text: "This CVE is classified as moderate because the attack requires an active Man-in-the-Middle (MITM) who can intercept and modify the connection's traffic at the TCP/IP layer.\n\nAlthough the attack is cryptographically innovative, its security impact is fortunately quite limited. It only allows the deletion of consecutive messages, and deleting most messages at this protocol stage prevents user authentication from proceeding, leading to a stalled connection.\n\nThe most significant identified impact is that it enables a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication begins. This allows the attacker to disable a subset of keystroke timing obfuscation features. However, there is no other observable impact on session secrecy or session integrity.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-48795", }, { category: "external", summary: "RHBZ#2254210", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254210", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-48795", url: "https://www.cve.org/CVERecord?id=CVE-2023-48795", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-48795", }, { category: "external", summary: "https://access.redhat.com/solutions/7071748", url: "https://access.redhat.com/solutions/7071748", }, { category: "external", summary: "https://terrapin-attack.com/", url: "https://terrapin-attack.com/", }, ], release_date: "2023-12-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, { category: "workaround", details: "Update to the last version and check that client and server provide kex pseudo-algorithms indicating usage of the updated version of the protocol which is protected from the attack. If \"kex-strict-c-v00@openssh.com\" is provided by clients and \"kex-strict-s-v00@openssh.com\" is in the server's reply, no other steps are necessary.\n\nDisabling ciphers if necessary:\n\nIf \"kex-strict-c-v00@openssh.com\" is not provided by clients or \"kex-strict-s-v00@openssh.com\" is absent in the server's reply, you can disable the following ciphers and HMACs as a workaround on RHEL-8 and RHEL-9:\n\n1. chacha20-poly1305@openssh.com\n2. hmac-sha2-512-etm@openssh.com\n3. hmac-sha2-256-etm@openssh.com\n4. hmac-sha1-etm@openssh.com\n5. hmac-md5-etm@openssh.com\n\nTo do that through crypto-policies, one can apply a subpolicy with the following content:\n```\ncipher@SSH = -CHACHA20-POLY1305\nssh_etm = 0\n```\ne.g., by putting these lines into `/etc/crypto-policies/policies/modules/CVE-2023-48795.pmod`, applying the resulting subpolicy with `update-crypto-policies --set $(update-crypto-policies --show):CVE-2023-48795` and restarting openssh server.\n\nOne can verify that the changes are in effect by ensuring the ciphers listed above are missing from both `/etc/crypto-policies/back-ends/openssh.config` and `/etc/crypto-policies/back-ends/opensshserver.config`.\n\nFor more details on using crypto-policies, please refer to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening\n\nNote that this procedure does limit the interoperability of the host and is only suggested as a temporary mitigation until the issue is fully resolved with an update.\n\nFor RHEL-7: \nWe can recommend to use strict MACs and Ciphers on RHEL7 in both files /etc/ssh/ssh_config and /etc/ssh/sshd_config.\n\nBelow strict set of Ciphers and MACs can be used as mitigation for RHEL 7.\n\n```\nCiphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\nMACs umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512\n```\n\n- For Openshift Container Platform 4:\nPlease refer the KCS[1] document for verifying the fix in RHCOS.\n\n[1] https://access.redhat.com/solutions/7071748", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "ssh: Prefix truncation attack on Binary Packet Protocol (BPP)", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, discovery_date: "2023-12-28T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2256063", }, ], notes: [ { category: "description", text: "A stack overflow vulnerability was found in the Criteria.parse() method in json-path. This issue occurs due to an uncontrolled recursion caused by specially crafted input, leading to a stack overflow. This vulnerability has the potential to trigger a crash, resulting in a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "json-path: stack-based buffer overflow in Criteria.parse method", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this at maximum of a Moderate impact. When interacting with a server to explore this possible vulnerability, the attacker would be the only one seeing a HTTP 500 error and no other user (or the server entirely) would be vulnerable in a real application scenario with multi-threads.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-51074", }, { category: "external", summary: "RHBZ#2256063", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2256063", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-51074", url: "https://www.cve.org/CVERecord?id=CVE-2023-51074", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "https://github.com/json-path/JsonPath/issues/973", url: "https://github.com/json-path/JsonPath/issues/973", }, ], release_date: "2023-12-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-02-12T16:02:02+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:0789", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "RHBOAC camel-quarkus 3 (camel-4.0/quarkus-3.2)", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-path: stack-based buffer overflow in Criteria.parse method", }, ], }
ncsc-2024-0297
Vulnerability from csaf_ncscnl
Published
2024-07-17 13:53
Modified
2024-07-17 13:53
Summary
Kwetsbaarheden verholpen in Oracle Financial Services Applications
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Er zijn kwetsbaarheden verholpen in Oracle Financial Services Applications.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:
* Denial-of-Service (DoS)
* Toegang tot gevoelige gegevens
* Toegang tot systeemgegevens
* Manipulatie van gegevens
* (Remote) code execution (Gebruikersrechten)
Oplossingen
Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.
Kans
medium
Schade
high
CWE-1188
Initialization of a Resource with an Insecure Default
CWE-121
Stack-based Buffer Overflow
CWE-20
Improper Input Validation
CWE-306
Missing Authentication for Critical Function
CWE-328
Use of Weak Hash
CWE-400
Uncontrolled Resource Consumption
CWE-404
Improper Resource Shutdown or Release
CWE-416
Use After Free
CWE-426
Untrusted Search Path
CWE-502
Deserialization of Untrusted Data
CWE-532
Insertion of Sensitive Information into Log File
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-770
Allocation of Resources Without Limits or Throttling
CWE-787
Out-of-bounds Write
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Er zijn kwetsbaarheden verholpen in Oracle Financial Services Applications.", title: "Feiten", }, { category: "description", text: "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:\n\n* Denial-of-Service (DoS)\n* Toegang tot gevoelige gegevens\n* Toegang tot systeemgegevens\n* Manipulatie van gegevens\n* (Remote) code execution (Gebruikersrechten)", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Initialization of a Resource with an Insecure Default", title: "CWE-1188", }, { category: "general", text: "Stack-based Buffer Overflow", title: "CWE-121", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Missing Authentication for Critical Function", title: "CWE-306", }, { category: "general", text: "Use of Weak Hash", title: "CWE-328", }, { category: "general", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "general", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, { category: "general", text: "Use After Free", title: "CWE-416", }, { category: "general", text: "Untrusted Search Path", title: "CWE-426", }, { category: "general", text: "Deserialization of Untrusted Data", title: "CWE-502", }, { category: "general", text: "Insertion of Sensitive Information into Log File", title: "CWE-532", }, { category: "general", text: "URL Redirection to Untrusted Site ('Open Redirect')", title: "CWE-601", }, { category: "general", text: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", title: "CWE-77", }, { category: "general", text: "Allocation of Resources Without Limits or Throttling", title: "CWE-770", }, { category: "general", text: "Out-of-bounds Write", title: "CWE-787", }, { category: "general", text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", title: "CWE-79", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-36944", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-26031", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-34055", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-47248", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-50447", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-52425", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-6129", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21188", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-22201", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-22262", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-23807", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-24549", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-24816", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25062", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-26308", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29133", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-32114", }, { category: "external", summary: "Reference - oracle", url: "https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json", }, { category: "external", summary: "Reference - cveprojectv5; ibm; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], title: " Kwetsbaarheden verholpen in Oracle Financial Services Applications", tracking: { current_release_date: "2024-07-17T13:53:54.655859Z", id: "NCSC-2024-0297", initial_release_date: "2024-07-17T13:53:54.655859Z", revision_history: [ { date: "2024-07-17T13:53:54.655859Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9711", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9300", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9522", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-8848", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-189066", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-189065", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_basic", product: { name: "financial_services_basel_regulatory_capital_basic", product_id: "CSAFPID-1503626", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.0.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_basic", product: { name: "financial_services_basel_regulatory_capital_basic", product_id: "CSAFPID-1503627", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.0.8.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product: { name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product_id: "CSAFPID-1503628", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product: { name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product_id: "CSAFPID-1503629", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.8.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-189067", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-93307", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-219772", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-219770", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-816828", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-1503630", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_cash_flow_engine", product: { name: "financial_services_cash_flow_engine", product_id: "CSAFPID-764273", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_cash_flow_engine:8.1.2.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-345047", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-816829", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-1503631", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-1503632", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219774", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503633", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.2.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-180190", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503634", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1.18:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219773", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219771", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-816830", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503635", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.6.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503636", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_lending_and_leasing", product: { name: "financial_services_lending_and_leasing", product_id: "CSAFPID-816831", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-611392", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-611391", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-1503319", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-1503318", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816833", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:_pricing_services___2.9.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816840", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:_security___5.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765266", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-344846", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.7.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816832", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912589", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.8.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816834", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765264", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765265", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-344845", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816835", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-400311", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.0.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816836", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912590", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.1.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816837", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-400309", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.2.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816838", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:4.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912591", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:4.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816839", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912592", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816841", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816842", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1503637", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.0.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1503923", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.1.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1503638", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.1.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product: { name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product_id: "CSAFPID-220374", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering_enterprise_edition:8.0.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product: { name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product_id: "CSAFPID-764926", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering_enterprise_edition:8.0.8.0:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2022-36944", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, notes: [ { category: "other", text: "Deserialization of Untrusted Data", title: "CWE-502", }, ], product_status: { known_affected: [ "CSAFPID-764273", "CSAFPID-611392", "CSAFPID-611391", "CSAFPID-9522", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-344846", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-344845", "CSAFPID-816835", "CSAFPID-765266", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-8848", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-219772", "CSAFPID-219770", "CSAFPID-345047", "CSAFPID-219774", "CSAFPID-180190", "CSAFPID-219773", "CSAFPID-219771", "CSAFPID-220374", ], }, references: [ { category: "self", summary: "CVE-2022-36944", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-36944.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-764273", "CSAFPID-611392", "CSAFPID-611391", "CSAFPID-9522", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-344846", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-344845", "CSAFPID-816835", "CSAFPID-765266", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-8848", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-219772", "CSAFPID-219770", "CSAFPID-345047", "CSAFPID-219774", "CSAFPID-180190", "CSAFPID-219773", "CSAFPID-219771", "CSAFPID-220374", ], }, ], title: "CVE-2022-36944", }, { cve: "CVE-2023-6129", cwe: { id: "CWE-328", name: "Use of Weak Hash", }, notes: [ { category: "other", text: "Use of Weak Hash", title: "CWE-328", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-6129", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-6129.json", }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-6129", }, { cve: "CVE-2023-26031", cwe: { id: "CWE-426", name: "Untrusted Search Path", }, notes: [ { category: "other", text: "Untrusted Search Path", title: "CWE-426", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-26031", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-26031.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-26031", }, { cve: "CVE-2023-34055", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-34055", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-34055.json", }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-34055", }, { cve: "CVE-2023-44483", cwe: { id: "CWE-532", name: "Insertion of Sensitive Information into Log File", }, notes: [ { category: "other", text: "Insertion of Sensitive Information into Log File", title: "CWE-532", }, ], product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-44483", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-44483.json", }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-44483", }, { cve: "CVE-2023-47248", product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1503318", "CSAFPID-1503319", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-47248", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-47248.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1503318", "CSAFPID-1503319", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-47248", }, { cve: "CVE-2023-50447", cwe: { id: "CWE-77", name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", }, notes: [ { category: "other", text: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", title: "CWE-77", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-50447", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-50447.json", }, ], scores: [ { cvss_v3: { baseScore: 9, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-50447", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, notes: [ { category: "other", text: "Stack-based Buffer Overflow", title: "CWE-121", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-51074", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-51074.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-51074", }, { cve: "CVE-2023-52425", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-52425", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-52425.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-52425", }, { cve: "CVE-2024-2511", cwe: { id: "CWE-404", name: "Improper Resource Shutdown or Release", }, notes: [ { category: "other", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-2511", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2511.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-2511", }, { cve: "CVE-2024-21188", product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-816842", ], }, references: [ { category: "self", summary: "CVE-2024-21188", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21188.json", }, ], title: "CVE-2024-21188", }, { cve: "CVE-2024-22201", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-22201", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22201.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-22201", }, { cve: "CVE-2024-22262", cwe: { id: "CWE-601", name: "URL Redirection to Untrusted Site ('Open Redirect')", }, notes: [ { category: "other", text: "URL Redirection to Untrusted Site ('Open Redirect')", title: "CWE-601", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-22262", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22262.json", }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-22262", }, { cve: "CVE-2024-23807", cwe: { id: "CWE-416", name: "Use After Free", }, notes: [ { category: "other", text: "Use After Free", title: "CWE-416", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-23807", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-23807.json", }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-23807", }, { cve: "CVE-2024-24549", cwe: { id: "CWE-20", name: "Improper Input Validation", }, notes: [ { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-24549", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-24549.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-24549", }, { cve: "CVE-2024-24816", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, notes: [ { category: "other", text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", title: "CWE-79", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-24816", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-24816.json", }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-24816", }, { cve: "CVE-2024-25062", cwe: { id: "CWE-416", name: "Use After Free", }, notes: [ { category: "other", text: "Use After Free", title: "CWE-416", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-25062", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-25062.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-25062", }, { cve: "CVE-2024-26308", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, notes: [ { category: "other", text: "Allocation of Resources Without Limits or Throttling", title: "CWE-770", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-26308", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-26308.json", }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-26308", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, notes: [ { category: "other", text: "Allocation of Resources Without Limits or Throttling", title: "CWE-770", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-29025", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29025.json", }, ], title: "CVE-2024-29025", }, { cve: "CVE-2024-29133", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, notes: [ { category: "other", text: "Out-of-bounds Write", title: "CWE-787", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-29133", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29133.json", }, ], title: "CVE-2024-29133", }, { cve: "CVE-2024-32114", cwe: { id: "CWE-306", name: "Missing Authentication for Critical Function", }, notes: [ { category: "other", text: "Missing Authentication for Critical Function", title: "CWE-306", }, { category: "other", text: "Initialization of a Resource with an Insecure Default", title: "CWE-1188", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-32114", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-32114.json", }, ], scores: [ { cvss_v3: { baseScore: 8.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-32114", }, ], }
NCSC-2024-0297
Vulnerability from csaf_ncscnl
Published
2024-07-17 13:53
Modified
2024-07-17 13:53
Summary
Kwetsbaarheden verholpen in Oracle Financial Services Applications
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Er zijn kwetsbaarheden verholpen in Oracle Financial Services Applications.
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:
* Denial-of-Service (DoS)
* Toegang tot gevoelige gegevens
* Toegang tot systeemgegevens
* Manipulatie van gegevens
* (Remote) code execution (Gebruikersrechten)
Oplossingen
Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.
Kans
medium
Schade
high
CWE-1188
Initialization of a Resource with an Insecure Default
CWE-121
Stack-based Buffer Overflow
CWE-20
Improper Input Validation
CWE-306
Missing Authentication for Critical Function
CWE-328
Use of Weak Hash
CWE-400
Uncontrolled Resource Consumption
CWE-404
Improper Resource Shutdown or Release
CWE-416
Use After Free
CWE-426
Untrusted Search Path
CWE-502
Deserialization of Untrusted Data
CWE-532
Insertion of Sensitive Information into Log File
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-770
Allocation of Resources Without Limits or Throttling
CWE-787
Out-of-bounds Write
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Er zijn kwetsbaarheden verholpen in Oracle Financial Services Applications.", title: "Feiten", }, { category: "description", text: "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade:\n\n* Denial-of-Service (DoS)\n* Toegang tot gevoelige gegevens\n* Toegang tot systeemgegevens\n* Manipulatie van gegevens\n* (Remote) code execution (Gebruikersrechten)", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates beschikbaar gesteld om de kwetsbaarheden te verhelpen. Zie de referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Initialization of a Resource with an Insecure Default", title: "CWE-1188", }, { category: "general", text: "Stack-based Buffer Overflow", title: "CWE-121", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Missing Authentication for Critical Function", title: "CWE-306", }, { category: "general", text: "Use of Weak Hash", title: "CWE-328", }, { category: "general", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "general", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, { category: "general", text: "Use After Free", title: "CWE-416", }, { category: "general", text: "Untrusted Search Path", title: "CWE-426", }, { category: "general", text: "Deserialization of Untrusted Data", title: "CWE-502", }, { category: "general", text: "Insertion of Sensitive Information into Log File", title: "CWE-532", }, { category: "general", text: "URL Redirection to Untrusted Site ('Open Redirect')", title: "CWE-601", }, { category: "general", text: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", title: "CWE-77", }, { category: "general", text: "Allocation of Resources Without Limits or Throttling", title: "CWE-770", }, { category: "general", text: "Out-of-bounds Write", title: "CWE-787", }, { category: "general", text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", title: "CWE-79", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-36944", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-26031", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-34055", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-47248", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-50447", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-51074", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-52425", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-6129", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-21188", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-22201", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-22262", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-23807", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-24549", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-24816", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-25062", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2511", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-26308", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29133", }, { category: "external", summary: "Source - nvd", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-32114", }, { category: "external", summary: "Reference - oracle", url: "https://www.oracle.com/docs/tech/security-alerts/cpujul2024csaf.json", }, { category: "external", summary: "Reference - cveprojectv5; ibm; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], title: " Kwetsbaarheden verholpen in Oracle Financial Services Applications", tracking: { current_release_date: "2024-07-17T13:53:54.655859Z", id: "NCSC-2024-0297", initial_release_date: "2024-07-17T13:53:54.655859Z", revision_history: [ { date: "2024-07-17T13:53:54.655859Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9711", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9300", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9522", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-8848", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-189066", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-189065", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_basic", product: { name: "financial_services_basel_regulatory_capital_basic", product_id: "CSAFPID-1503626", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.0.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_basic", product: { name: "financial_services_basel_regulatory_capital_basic", product_id: "CSAFPID-1503627", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.0.8.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product: { name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product_id: "CSAFPID-1503628", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product: { name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product_id: "CSAFPID-1503629", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.8.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-189067", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-93307", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-219772", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-219770", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-816828", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-1503630", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_cash_flow_engine", product: { name: "financial_services_cash_flow_engine", product_id: "CSAFPID-764273", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_cash_flow_engine:8.1.2.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-345047", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-816829", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-1503631", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-1503632", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219774", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503633", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.2.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-180190", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503634", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1.18:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219773", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219771", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-816830", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503635", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.6.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503636", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_lending_and_leasing", product: { name: "financial_services_lending_and_leasing", product_id: "CSAFPID-816831", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-611392", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-611391", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-1503319", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-1503318", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816833", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:_pricing_services___2.9.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816840", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:_security___5.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765266", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-344846", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.7.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816832", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912589", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.8.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816834", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765264", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765265", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-344845", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816835", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-400311", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.0.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816836", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912590", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.1.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816837", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-400309", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.2.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816838", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:4.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912591", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:4.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816839", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912592", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816841", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816842", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1503637", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.0.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1503923", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.1.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1503638", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.1.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product: { name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product_id: "CSAFPID-220374", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering_enterprise_edition:8.0.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product: { name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product_id: "CSAFPID-764926", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering_enterprise_edition:8.0.8.0:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2022-36944", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, notes: [ { category: "other", text: "Deserialization of Untrusted Data", title: "CWE-502", }, ], product_status: { known_affected: [ "CSAFPID-764273", "CSAFPID-611392", "CSAFPID-611391", "CSAFPID-9522", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-344846", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-344845", "CSAFPID-816835", "CSAFPID-765266", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-8848", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-219772", "CSAFPID-219770", "CSAFPID-345047", "CSAFPID-219774", "CSAFPID-180190", "CSAFPID-219773", "CSAFPID-219771", "CSAFPID-220374", ], }, references: [ { category: "self", summary: "CVE-2022-36944", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-36944.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-764273", "CSAFPID-611392", "CSAFPID-611391", "CSAFPID-9522", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-344846", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-344845", "CSAFPID-816835", "CSAFPID-765266", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-8848", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-219772", "CSAFPID-219770", "CSAFPID-345047", "CSAFPID-219774", "CSAFPID-180190", "CSAFPID-219773", "CSAFPID-219771", "CSAFPID-220374", ], }, ], title: "CVE-2022-36944", }, { cve: "CVE-2023-6129", cwe: { id: "CWE-328", name: "Use of Weak Hash", }, notes: [ { category: "other", text: "Use of Weak Hash", title: "CWE-328", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-6129", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-6129.json", }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-6129", }, { cve: "CVE-2023-26031", cwe: { id: "CWE-426", name: "Untrusted Search Path", }, notes: [ { category: "other", text: "Untrusted Search Path", title: "CWE-426", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-26031", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-26031.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-26031", }, { cve: "CVE-2023-34055", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-34055", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-34055.json", }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-34055", }, { cve: "CVE-2023-44483", cwe: { id: "CWE-532", name: "Insertion of Sensitive Information into Log File", }, notes: [ { category: "other", text: "Insertion of Sensitive Information into Log File", title: "CWE-532", }, ], product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-44483", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-44483.json", }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-44483", }, { cve: "CVE-2023-47248", product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1503318", "CSAFPID-1503319", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-47248", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-47248.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1503318", "CSAFPID-1503319", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-47248", }, { cve: "CVE-2023-50447", cwe: { id: "CWE-77", name: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", }, notes: [ { category: "other", text: "Improper Neutralization of Special Elements used in a Command ('Command Injection')", title: "CWE-77", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-50447", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-50447.json", }, ], scores: [ { cvss_v3: { baseScore: 9, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-50447", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, notes: [ { category: "other", text: "Stack-based Buffer Overflow", title: "CWE-121", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-51074", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-51074.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-51074", }, { cve: "CVE-2023-52425", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-52425", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-52425.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-52425", }, { cve: "CVE-2024-2511", cwe: { id: "CWE-404", name: "Improper Resource Shutdown or Release", }, notes: [ { category: "other", text: "Improper Resource Shutdown or Release", title: "CWE-404", }, { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-2511", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-2511.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-2511", }, { cve: "CVE-2024-21188", product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-816842", ], }, references: [ { category: "self", summary: "CVE-2024-21188", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21188.json", }, ], title: "CVE-2024-21188", }, { cve: "CVE-2024-22201", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-22201", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22201.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-22201", }, { cve: "CVE-2024-22262", cwe: { id: "CWE-601", name: "URL Redirection to Untrusted Site ('Open Redirect')", }, notes: [ { category: "other", text: "URL Redirection to Untrusted Site ('Open Redirect')", title: "CWE-601", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-22262", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22262.json", }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-22262", }, { cve: "CVE-2024-23807", cwe: { id: "CWE-416", name: "Use After Free", }, notes: [ { category: "other", text: "Use After Free", title: "CWE-416", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-23807", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-23807.json", }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-23807", }, { cve: "CVE-2024-24549", cwe: { id: "CWE-20", name: "Improper Input Validation", }, notes: [ { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-24549", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-24549.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-24549", }, { cve: "CVE-2024-24816", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, notes: [ { category: "other", text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", title: "CWE-79", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-24816", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-24816.json", }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-24816", }, { cve: "CVE-2024-25062", cwe: { id: "CWE-416", name: "Use After Free", }, notes: [ { category: "other", text: "Use After Free", title: "CWE-416", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-25062", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-25062.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-25062", }, { cve: "CVE-2024-26308", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, notes: [ { category: "other", text: "Allocation of Resources Without Limits or Throttling", title: "CWE-770", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-26308", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-26308.json", }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-26308", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, notes: [ { category: "other", text: "Allocation of Resources Without Limits or Throttling", title: "CWE-770", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-29025", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29025.json", }, ], title: "CVE-2024-29025", }, { cve: "CVE-2024-29133", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, notes: [ { category: "other", text: "Out-of-bounds Write", title: "CWE-787", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-29133", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29133.json", }, ], title: "CVE-2024-29133", }, { cve: "CVE-2024-32114", cwe: { id: "CWE-306", name: "Missing Authentication for Critical Function", }, notes: [ { category: "other", text: "Missing Authentication for Critical Function", title: "CWE-306", }, { category: "other", text: "Initialization of a Resource with an Insecure Default", title: "CWE-1188", }, ], product_status: { known_affected: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2024-32114", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-32114.json", }, ], scores: [ { cvss_v3: { baseScore: 8.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2024-32114", }, ], }
ncsc-2025-0022
Vulnerability from csaf_ncscnl
Published
2025-01-22 13:31
Modified
2025-01-22 13:31
Summary
Kwetsbaarheden verholpen in Oracle Enterprise Manager
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Oracle heeft kwetsbaarheden verholpen in Oracle Enterprise Manager
Interpretaties
Een kwaadwillende kan de kwetsbaarheden misbruiken om toegang te verkrijgen tot gevoelige data of een Denial-of-Service te veroorzaken.
Oplossingen
Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-125
Out-of-bounds Read
CWE-400
Uncontrolled Resource Consumption
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-121
Stack-based Buffer Overflow
CWE-20
Improper Input Validation
CWE-178
Improper Handling of Case Sensitivity
CWE-284
Improper Access Control
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Oracle heeft kwetsbaarheden verholpen in Oracle Enterprise Manager", title: "Feiten", }, { category: "description", text: "Een kwaadwillende kan de kwetsbaarheden misbruiken om toegang te verkrijgen tot gevoelige data of een Denial-of-Service te veroorzaken.", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Out-of-bounds Read", title: "CWE-125", }, { category: "general", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "general", text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", title: "CWE-22", }, { category: "general", text: "Stack-based Buffer Overflow", title: "CWE-121", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Improper Handling of Case Sensitivity", title: "CWE-178", }, { category: "general", text: "Improper Access Control", title: "CWE-284", }, { category: "general", text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", title: "CWE-1321", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Reference - cveprojectv5; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujan2025.html", }, ], title: "Kwetsbaarheden verholpen in Oracle Enterprise Manager", tracking: { current_release_date: "2025-01-22T13:31:16.019294Z", id: "NCSC-2025-0022", initial_release_date: "2025-01-22T13:31:16.019294Z", revision_history: [ { date: "2025-01-22T13:31:16.019294Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "enterprise_manager_base_platform", product: { name: "enterprise_manager_base_platform", product_id: "CSAFPID-179794", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "enterprise_manager_for_mysql_database", product: { name: "enterprise_manager_for_mysql_database", product_id: "CSAFPID-1751077", product_identification_helper: { cpe: "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.5.2.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "application_testing_suite", product: { name: "application_testing_suite", product_id: "CSAFPID-5546", product_identification_helper: { cpe: "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, notes: [ { category: "other", text: "Stack-based Buffer Overflow", title: "CWE-121", }, ], product_status: { known_affected: [ "CSAFPID-5546", "CSAFPID-179794", ], }, references: [ { category: "self", summary: "CVE-2023-51074", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-51074.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-5546", "CSAFPID-179794", ], }, ], title: "CVE-2023-51074", }, { cve: "CVE-2024-29857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, { category: "other", text: "Out-of-bounds Read", title: "CWE-125", }, ], product_status: { known_affected: [ "CSAFPID-5546", "CSAFPID-179794", ], }, references: [ { category: "self", summary: "CVE-2024-29857", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29857.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-5546", "CSAFPID-179794", ], }, ], title: "CVE-2024-29857", }, { cve: "CVE-2024-38819", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, notes: [ { category: "other", text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", title: "CWE-22", }, ], product_status: { known_affected: [ "CSAFPID-1751077", ], }, references: [ { category: "self", summary: "CVE-2024-38819", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38819.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-1751077", ], }, ], title: "CVE-2024-38819", }, { cve: "CVE-2024-38820", cwe: { id: "CWE-284", name: "Improper Access Control", }, notes: [ { category: "other", text: "Improper Access Control", title: "CWE-284", }, { category: "other", text: "Improper Handling of Case Sensitivity", title: "CWE-178", }, ], product_status: { known_affected: [ "CSAFPID-1751077", ], }, references: [ { category: "self", summary: "CVE-2024-38820", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38820.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-1751077", ], }, ], title: "CVE-2024-38820", }, { cve: "CVE-2024-38998", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, notes: [ { category: "other", text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", title: "CWE-1321", }, ], product_status: { known_affected: [ "CSAFPID-5546", ], }, references: [ { category: "self", summary: "CVE-2024-38998", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38998.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-5546", ], }, ], title: "CVE-2024-38998", }, { cve: "CVE-2024-38999", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, notes: [ { category: "other", text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", title: "CWE-1321", }, ], product_status: { known_affected: [ "CSAFPID-5546", ], }, references: [ { category: "self", summary: "CVE-2024-38999", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38999.json", }, ], scores: [ { cvss_v3: { baseScore: 10, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-5546", ], }, ], title: "CVE-2024-38999", }, ], }
ncsc-2025-0025
Vulnerability from csaf_ncscnl
Published
2025-01-22 13:33
Modified
2025-01-22 13:33
Summary
Kwetsbaarheden verholpen in Oracle Financial Services
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Oracle heeft meerdere kwetsbaarheden verholpen in Financial Services en componenten.
Interpretaties
De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot kritieke gegevens en de systeemintegriteit in gevaar te brengen. Specifieke kwetsbaarheden kunnen leiden tot compromittering van vertrouwelijkheid, integriteit en beschikbaarheid, met schadeclassificaties variërend van gemiddeld tot hoog. Sommige kwetsbaarheden kunnen op afstand worden uitgebuit zonder gebruikersinteractie, wat het risico op privilege-escalatie en denial-of-service vergroot.
Oplossingen
Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-681
Incorrect Conversion between Numeric Types
CWE-20
Improper Input Validation
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-131
Incorrect Calculation of Buffer Size
CWE-178
Improper Handling of Case Sensitivity
CWE-284
Improper Access Control
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-611
Improper Restriction of XML External Entity Reference
CWE-670
Always-Incorrect Control Flow Implementation
CWE-192
Integer Coercion Error
CWE-676
Use of Potentially Dangerous Function
CWE-222
Truncation of Security-relevant Information
CWE-755
Improper Handling of Exceptional Conditions
CWE-704
Incorrect Type Conversion or Cast
CWE-680
Integer Overflow to Buffer Overflow
CWE-426
Untrusted Search Path
CWE-354
Improper Validation of Integrity Check Value
CWE-190
Integer Overflow or Wraparound
CWE-532
Insertion of Sensitive Information into Log File
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-757
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CWE-400
Uncontrolled Resource Consumption
CWE-502
Deserialization of Untrusted Data
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-121
Stack-based Buffer Overflow
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Oracle heeft meerdere kwetsbaarheden verholpen in Financial Services en componenten.", title: "Feiten", }, { category: "description", text: "De kwetsbaarheden stellen ongeauthenticeerde aanvallers in staat om toegang te krijgen tot kritieke gegevens en de systeemintegriteit in gevaar te brengen. Specifieke kwetsbaarheden kunnen leiden tot compromittering van vertrouwelijkheid, integriteit en beschikbaarheid, met schadeclassificaties variërend van gemiddeld tot hoog. Sommige kwetsbaarheden kunnen op afstand worden uitgebuit zonder gebruikersinteractie, wat het risico op privilege-escalatie en denial-of-service vergroot.", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Incorrect Conversion between Numeric Types", title: "CWE-681", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", title: "CWE-79", }, { category: "general", text: "Incorrect Calculation of Buffer Size", title: "CWE-131", }, { category: "general", text: "Improper Handling of Case Sensitivity", title: "CWE-178", }, { category: "general", text: "Improper Access Control", title: "CWE-284", }, { category: "general", text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", title: "CWE-1321", }, { category: "general", text: "Improper Restriction of XML External Entity Reference", title: "CWE-611", }, { category: "general", text: "Always-Incorrect Control Flow Implementation", title: "CWE-670", }, { category: "general", text: "Integer Coercion Error", title: "CWE-192", }, { category: "general", text: "Use of Potentially Dangerous Function", title: "CWE-676", }, { category: "general", text: "Truncation of Security-relevant Information", title: "CWE-222", }, { category: "general", text: "Improper Handling of Exceptional Conditions", title: "CWE-755", }, { category: "general", text: "Incorrect Type Conversion or Cast", title: "CWE-704", }, { category: "general", text: "Integer Overflow to Buffer Overflow", title: "CWE-680", }, { category: "general", text: "Untrusted Search Path", title: "CWE-426", }, { category: "general", text: "Improper Validation of Integrity Check Value", title: "CWE-354", }, { category: "general", text: "Integer Overflow or Wraparound", title: "CWE-190", }, { category: "general", text: "Insertion of Sensitive Information into Log File", title: "CWE-532", }, { category: "general", text: "Authorization Bypass Through User-Controlled Key", title: "CWE-639", }, { category: "general", text: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", title: "CWE-757", }, { category: "general", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "general", text: "Deserialization of Untrusted Data", title: "CWE-502", }, { category: "general", text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", title: "CWE-22", }, { category: "general", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "general", text: "Stack-based Buffer Overflow", title: "CWE-121", }, { category: "general", text: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", title: "CWE-120", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Reference - cveprojectv5; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujan2025.html", }, ], title: "Kwetsbaarheden verholpen in Oracle Financial Services", tracking: { current_release_date: "2025-01-22T13:33:00.723963Z", id: "NCSC-2025-0025", initial_release_date: "2025-01-22T13:33:00.723963Z", revision_history: [ { date: "2025-01-22T13:33:00.723963Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-342808", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-345045", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-1751072", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9711", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-345044", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-1751083", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9300", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-345043", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-9522", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.9:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-345042", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-8848", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-93309", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-189066", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-93305", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-189064", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-189063", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-1751078", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_infrastructure", product: { name: "financial_services_analytical_applications_infrastructure", product_id: "CSAFPID-189065", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_reconciliation_framework", product: { name: "financial_services_analytical_applications_reconciliation_framework", product_id: "CSAFPID-363146", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.0.7.1.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_analytical_applications_reconciliation_framework", product: { name: "financial_services_analytical_applications_reconciliation_framework", product_id: "CSAFPID-363129", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_analytical_applications_reconciliation_framework:8.1.1.1.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_asset_liability_management", product: { name: "financial_services_asset_liability_management", product_id: "CSAFPID-363142", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_balance_computation_engine", product: { name: "financial_services_balance_computation_engine", product_id: "CSAFPID-363130", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_balance_computation_engine:8.1.1.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_balance_sheet_planning", product: { name: "financial_services_balance_sheet_planning", product_id: "CSAFPID-363135", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_balance_sheet_planning:8.0.8.1.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_basic", product: { name: "financial_services_basel_regulatory_capital_basic", product_id: "CSAFPID-1503626", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.0.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_basic", product: { name: "financial_services_basel_regulatory_capital_basic", product_id: "CSAFPID-1503627", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_basic:8.0.8.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product: { name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product_id: "CSAFPID-1503628", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product: { name: "financial_services_basel_regulatory_capital_internal_ratings_based_approach", product_id: "CSAFPID-1503629", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_basel_regulatory_capital_internal_ratings_based_approach:8.0.8.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-765261", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-93312", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-220456", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-93311", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-189067", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-93308", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-93307", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-93306", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-220368", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-220449", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-345041", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-219772", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-219770", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-816828", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-1503630", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_behavior_detection_platform", product: { name: "financial_services_behavior_detection_platform", product_id: "CSAFPID-1751074", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_cash_flow_engine", product: { name: "financial_services_cash_flow_engine", product_id: "CSAFPID-764273", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_cash_flow_engine:8.1.2.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-345047", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-816829", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-1503631", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_compliance_studio", product: { name: "financial_services_compliance_studio", product_id: "CSAFPID-1503632", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_compliance_studio:8.1.2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_crime_and_compliance_management_studio", product: { name: "financial_services_crime_and_compliance_management_studio", product_id: "CSAFPID-93648", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_crime_and_compliance_management_studio", product: { name: "financial_services_crime_and_compliance_management_studio", product_id: "CSAFPID-93647", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_crime_and_compliance_management_studio", product: { name: "financial_services_crime_and_compliance_management_studio", product_id: "CSAFPID-764857", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_crime_and_compliance_management_studio", product: { name: "financial_services_crime_and_compliance_management_studio", product_id: "CSAFPID-391382", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_crime_and_compliance_management_studio", product: { name: "financial_services_crime_and_compliance_management_studio", product_id: "CSAFPID-765262", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:_studio___8.0.8.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_crime_and_compliance_management_studio", product: { name: "financial_services_crime_and_compliance_management_studio", product_id: "CSAFPID-765263", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:_studio___8.0.8.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_currency_transaction_reporting", product: { name: "financial_services_currency_transaction_reporting", product_id: "CSAFPID-493291", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_currency_transaction_reporting:8.0.8.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_currency_transaction_reporting", product: { name: "financial_services_currency_transaction_reporting", product_id: "CSAFPID-493290", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_currency_transaction_reporting:8.1.1.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_currency_transaction_reporting", product: { name: "financial_services_currency_transaction_reporting", product_id: "CSAFPID-493289", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_currency_transaction_reporting:8.1.2.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_currency_transaction_reporting", product: { name: "financial_services_currency_transaction_reporting", product_id: "CSAFPID-493288", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_currency_transaction_reporting:8.1.2.4.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_data_governance_for_us_regulatory_reporting", product: { name: "financial_services_data_governance_for_us_regulatory_reporting", product_id: "CSAFPID-363128", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:8.1.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_data_governance_for_us_regulatory_reporting", product: { name: "financial_services_data_governance_for_us_regulatory_reporting", product_id: "CSAFPID-363127", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_data_governance_for_us_regulatory_reporting:8.1.2.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_data_integration_hub", product: { name: "financial_services_data_integration_hub", product_id: "CSAFPID-363144", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7.3.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_data_integration_hub", product: { name: "financial_services_data_integration_hub", product_id: "CSAFPID-363131", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.0.1.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_data_integration_hub", product: { name: "financial_services_data_integration_hub", product_id: "CSAFPID-363126", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.1.2.2.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_deposit_insurance_calculations_for_liquidity_risk_management", product: { name: "financial_services_deposit_insurance_calculations_for_liquidity_risk_management", product_id: "CSAFPID-363143", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_deposit_insurance_calculations_for_liquidity_risk_management:8.0.7.3.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_deposit_insurance_calculations_for_liquidity_risk_management", product: { name: "financial_services_deposit_insurance_calculations_for_liquidity_risk_management", product_id: "CSAFPID-363133", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_deposit_insurance_calculations_for_liquidity_risk_management:8.0.8.3.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-567702", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-220378", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-220377", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-220455", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-220607", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-220372", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503633", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.2.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219774", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-180191", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503634", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1.18:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-180190", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-180189", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-220369", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-220448", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-345040", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219773", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-219771", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503635", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.6.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-816830", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_case_management", product: { name: "financial_services_enterprise_case_management", product_id: "CSAFPID-1503636", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.2.7.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_enterprise_financial_performance_analytics", product: { name: "financial_services_enterprise_financial_performance_analytics", product_id: "CSAFPID-363141", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_enterprise_financial_performance_analytics:8.0.7.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_funds_transfer_pricing", product: { name: "financial_services_funds_transfer_pricing", product_id: "CSAFPID-363138", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_institutional_performance_analytics", product: { name: "financial_services_institutional_performance_analytics", product_id: "CSAFPID-363136", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_institutional_performance_analytics:8.0.7.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_lending_and_leasing", product: { name: "financial_services_lending_and_leasing", product_id: "CSAFPID-816831", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_liquidity_risk_measurement_and_management", product: { name: "financial_services_liquidity_risk_measurement_and_management", product_id: "CSAFPID-363145", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.7.3.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_liquidity_risk_measurement_and_management", product: { name: "financial_services_liquidity_risk_measurement_and_management", product_id: "CSAFPID-363132", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_liquidity_risk_measurement_and_management:8.0.8.3.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_loan_loss_forecasting_and_provisioning", product: { name: "financial_services_loan_loss_forecasting_and_provisioning", product_id: "CSAFPID-363140", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.7.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_loan_loss_forecasting_and_provisioning", product: { name: "financial_services_loan_loss_forecasting_and_provisioning", product_id: "CSAFPID-363134", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.8.2.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-764923", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.0.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-396508", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-764924", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-396507", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-611392", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-611391", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-1503319", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-1503318", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-1751202", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_model_management_and_governance", product: { name: "financial_services_model_management_and_governance", product_id: "CSAFPID-1751086", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:8.1.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_profitability_management", product: { name: "financial_services_profitability_management", product_id: "CSAFPID-363139", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_profitability_management:8.0.7.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_regulatory_reporting", product: { name: "financial_services_regulatory_reporting", product_id: "CSAFPID-570314", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_regulatory_reporting:8.0.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_regulatory_reporting", product: { name: "financial_services_regulatory_reporting", product_id: "CSAFPID-570313", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_regulatory_reporting:8.1.1.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_regulatory_reporting", product: { name: "financial_services_regulatory_reporting", product_id: "CSAFPID-570312", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_regulatory_reporting:8.1.2.3:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_regulatory_reporting", product: { name: "financial_services_regulatory_reporting", product_id: "CSAFPID-570311", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_regulatory_reporting:8.1.2.4:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_regulatory_reporting", product: { name: "financial_services_regulatory_reporting", product_id: "CSAFPID-1751214", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_regulatory_reporting:8.1.2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_regulatory_reporting", product: { name: "financial_services_regulatory_reporting", product_id: "CSAFPID-1751213", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_regulatory_reporting:8.1.2.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_regulatory_reporting_with_agilereporter", product: { name: "financial_services_regulatory_reporting_with_agilereporter", product_id: "CSAFPID-611433", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_regulatory_reporting_with_agilereporter:8.1.1.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_retail_performance_analytics", product: { name: "financial_services_retail_performance_analytics", product_id: "CSAFPID-363137", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_retail_performance_analytics:8.0.7.8.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765266", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-344846", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.7.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-219833", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912589", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.8.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816832", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-219832", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1751215", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0.0.0-7.0.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765264", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-765265", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816834", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-344845", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-219831", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:2.9:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-400311", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.0.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816835", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-219830", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912590", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.1.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816836", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-219829", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.1:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-400309", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.2.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816837", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.2.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-219828", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:3.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-400307", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:4.0.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912591", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:4.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816838", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:4.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-219827", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-912592", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816839", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816841", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:5.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1503637", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.0.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816842", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-1503638", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:6.1.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816833", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:_pricing_services___2.9.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_revenue_management_and_billing", product: { name: "financial_services_revenue_management_and_billing", product_id: "CSAFPID-816840", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing:_security___5.1.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering", product: { name: "financial_services_trade-based_anti_money_laundering", product_id: "CSAFPID-1751087", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering", product: { name: "financial_services_trade-based_anti_money_laundering", product_id: "CSAFPID-220375", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product: { name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product_id: "CSAFPID-764925", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering_enterprise_edition:8.0.7.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product: { name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product_id: "CSAFPID-764796", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering_enterprise_edition:8.0.8.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product: { name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product_id: "CSAFPID-764926", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering_enterprise_edition:8.0.8.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product: { name: "financial_services_trade-based_anti_money_laundering_enterprise_edition", product_id: "CSAFPID-220374", product_identification_helper: { cpe: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering_enterprise_edition:8.0.8:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_liquidity_management", product: { name: "banking_liquidity_management", product_id: "CSAFPID-764262", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_liquidity_management:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_liquidity_management", product: { name: "banking_liquidity_management", product_id: "CSAFPID-180213", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_liquidity_management:14.2:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_liquidity_management", product: { name: "banking_liquidity_management", product_id: "CSAFPID-180207", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_liquidity_management:14.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_liquidity_management", product: { name: "banking_liquidity_management", product_id: "CSAFPID-912094", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_liquidity_management:14.5.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_liquidity_management", product: { name: "banking_liquidity_management", product_id: "CSAFPID-912093", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_liquidity_management:14.6.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_liquidity_management", product: { name: "banking_liquidity_management", product_id: "CSAFPID-912092", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_liquidity_management:14.7.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_liquidity_management", product: { name: "banking_liquidity_management", product_id: "CSAFPID-816824", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_liquidity_management:14.7.0.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_liquidity_management", product: { name: "banking_liquidity_management", product_id: "CSAFPID-1673499", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_liquidity_management:14.7.5.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_origination", product: { name: "banking_origination", product_id: "CSAFPID-764263", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_origination:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_origination", product: { name: "banking_origination", product_id: "CSAFPID-180208", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_origination:14.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_origination", product: { name: "banking_origination", product_id: "CSAFPID-1751207", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_origination:14.5.0.0.0-14.7.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_origination", product: { name: "banking_origination", product_id: "CSAFPID-912064", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_origination:14.5.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_origination", product: { name: "banking_origination", product_id: "CSAFPID-912063", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_origination:14.6.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_origination", product: { name: "banking_origination", product_id: "CSAFPID-912062", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_origination:14.7.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_corporate_lending_process_management", product: { name: "banking_corporate_lending_process_management", product_id: "CSAFPID-764259", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:*:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_corporate_lending_process_management", product: { name: "banking_corporate_lending_process_management", product_id: "CSAFPID-1751206", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0.0.0-14.7.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_corporate_lending_process_management", product: { name: "banking_corporate_lending_process_management", product_id: "CSAFPID-1503614", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.4.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_corporate_lending_process_management", product: { name: "banking_corporate_lending_process_management", product_id: "CSAFPID-180204", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_corporate_lending_process_management", product: { name: "banking_corporate_lending_process_management", product_id: "CSAFPID-1503615", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_corporate_lending_process_management", product: { name: "banking_corporate_lending_process_management", product_id: "CSAFPID-1503616", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.6.0.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "banking_corporate_lending_process_management", product: { name: "banking_corporate_lending_process_management", product_id: "CSAFPID-1503617", product_identification_helper: { cpe: "cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.7.0.0.0:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2022-34169", cwe: { id: "CWE-192", name: "Integer Coercion Error", }, notes: [ { category: "other", text: "Integer Coercion Error", title: "CWE-192", }, { category: "other", text: "Incorrect Conversion between Numeric Types", title: "CWE-681", }, { category: "other", text: "Incorrect Type Conversion or Cast", title: "CWE-704", }, ], product_status: { known_affected: [ "CSAFPID-219827", "CSAFPID-219828", "CSAFPID-219829", "CSAFPID-219830", "CSAFPID-344845", "CSAFPID-219831", "CSAFPID-219832", "CSAFPID-344846", "CSAFPID-219833", "CSAFPID-764259", "CSAFPID-345045", "CSAFPID-345044", "CSAFPID-345043", "CSAFPID-345042", "CSAFPID-93309", "CSAFPID-93305", "CSAFPID-189064", "CSAFPID-189063", "CSAFPID-363146", "CSAFPID-363129", "CSAFPID-363142", "CSAFPID-363130", "CSAFPID-363135", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-345041", "CSAFPID-219772", "CSAFPID-345047", "CSAFPID-391382", "CSAFPID-493291", "CSAFPID-493290", "CSAFPID-493289", "CSAFPID-493288", "CSAFPID-363128", "CSAFPID-363127", "CSAFPID-363144", "CSAFPID-363131", "CSAFPID-363126", "CSAFPID-363143", "CSAFPID-363133", "CSAFPID-219774", "CSAFPID-180190", "CSAFPID-345040", "CSAFPID-219773", "CSAFPID-363141", "CSAFPID-363138", "CSAFPID-363136", "CSAFPID-363145", "CSAFPID-363132", "CSAFPID-363140", "CSAFPID-363134", "CSAFPID-396508", "CSAFPID-396507", "CSAFPID-363139", "CSAFPID-570314", "CSAFPID-570313", "CSAFPID-570312", "CSAFPID-570311", "CSAFPID-611433", "CSAFPID-363137", "CSAFPID-764796", "CSAFPID-764857", "CSAFPID-342808", "CSAFPID-220456", "CSAFPID-93308", "CSAFPID-93306", "CSAFPID-220368", "CSAFPID-220449", "CSAFPID-220455", "CSAFPID-180191", "CSAFPID-180189", "CSAFPID-220369", "CSAFPID-220448", "CSAFPID-764923", "CSAFPID-764924", "CSAFPID-764925", "CSAFPID-764926", "CSAFPID-764262", "CSAFPID-816824", "CSAFPID-764263", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-180204", "CSAFPID-180213", "CSAFPID-180207", "CSAFPID-180208", "CSAFPID-93312", "CSAFPID-93311", "CSAFPID-765261", "CSAFPID-765262", "CSAFPID-93648", "CSAFPID-765263", "CSAFPID-93647", "CSAFPID-220378", "CSAFPID-220377", "CSAFPID-220607", "CSAFPID-220372", "CSAFPID-567702", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-765266", "CSAFPID-400307", "CSAFPID-8848", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-219770", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-219771", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-220374", "CSAFPID-912094", "CSAFPID-912093", "CSAFPID-912092", "CSAFPID-912064", "CSAFPID-912063", "CSAFPID-912062", "CSAFPID-912589", "CSAFPID-400311", "CSAFPID-912590", "CSAFPID-400309", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", ], }, references: [ { category: "self", summary: "CVE-2022-34169", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-34169.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-219827", "CSAFPID-219828", "CSAFPID-219829", "CSAFPID-219830", "CSAFPID-344845", "CSAFPID-219831", "CSAFPID-219832", "CSAFPID-344846", "CSAFPID-219833", "CSAFPID-764259", "CSAFPID-345045", "CSAFPID-345044", "CSAFPID-345043", "CSAFPID-345042", "CSAFPID-93309", "CSAFPID-93305", "CSAFPID-189064", "CSAFPID-189063", "CSAFPID-363146", "CSAFPID-363129", "CSAFPID-363142", "CSAFPID-363130", "CSAFPID-363135", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-345041", "CSAFPID-219772", "CSAFPID-345047", "CSAFPID-391382", "CSAFPID-493291", "CSAFPID-493290", "CSAFPID-493289", "CSAFPID-493288", "CSAFPID-363128", "CSAFPID-363127", "CSAFPID-363144", "CSAFPID-363131", "CSAFPID-363126", "CSAFPID-363143", "CSAFPID-363133", "CSAFPID-219774", "CSAFPID-180190", "CSAFPID-345040", "CSAFPID-219773", "CSAFPID-363141", "CSAFPID-363138", "CSAFPID-363136", "CSAFPID-363145", "CSAFPID-363132", "CSAFPID-363140", "CSAFPID-363134", "CSAFPID-396508", "CSAFPID-396507", "CSAFPID-363139", "CSAFPID-570314", "CSAFPID-570313", "CSAFPID-570312", "CSAFPID-570311", "CSAFPID-611433", "CSAFPID-363137", "CSAFPID-764796", "CSAFPID-764857", "CSAFPID-342808", "CSAFPID-220456", "CSAFPID-93308", "CSAFPID-93306", "CSAFPID-220368", "CSAFPID-220449", "CSAFPID-220455", "CSAFPID-180191", "CSAFPID-180189", "CSAFPID-220369", "CSAFPID-220448", "CSAFPID-764923", "CSAFPID-764924", "CSAFPID-764925", "CSAFPID-764926", "CSAFPID-764262", "CSAFPID-816824", "CSAFPID-764263", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-180204", "CSAFPID-180213", "CSAFPID-180207", "CSAFPID-180208", "CSAFPID-93312", "CSAFPID-93311", "CSAFPID-765261", "CSAFPID-765262", "CSAFPID-93648", "CSAFPID-765263", "CSAFPID-93647", "CSAFPID-220378", "CSAFPID-220377", "CSAFPID-220607", "CSAFPID-220372", "CSAFPID-567702", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-765266", "CSAFPID-400307", "CSAFPID-8848", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-219770", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-219771", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-220374", "CSAFPID-912094", "CSAFPID-912093", "CSAFPID-912092", "CSAFPID-912064", "CSAFPID-912063", "CSAFPID-912062", "CSAFPID-912589", "CSAFPID-400311", "CSAFPID-912590", "CSAFPID-400309", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", ], }, ], title: "CVE-2022-34169", }, { cve: "CVE-2023-26031", cwe: { id: "CWE-426", name: "Untrusted Search Path", }, notes: [ { category: "other", text: "Untrusted Search Path", title: "CWE-426", }, ], product_status: { known_affected: [ "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-912094", "CSAFPID-912093", "CSAFPID-912092", "CSAFPID-912064", "CSAFPID-912063", "CSAFPID-912062", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-816829", ], }, references: [ { category: "self", summary: "CVE-2023-26031", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-26031.json", }, ], title: "CVE-2023-26031", }, { cve: "CVE-2023-33201", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, notes: [ { category: "other", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, ], product_status: { known_affected: [ "CSAFPID-611391", "CSAFPID-611392", "CSAFPID-764259", "CSAFPID-764262", "CSAFPID-764263", "CSAFPID-764273", "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816824", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912062", "CSAFPID-912063", "CSAFPID-912064", "CSAFPID-912092", "CSAFPID-912093", "CSAFPID-912094", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-1751202", "CSAFPID-1751086", ], }, references: [ { category: "self", summary: "CVE-2023-33201", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-33201.json", }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-611391", "CSAFPID-611392", "CSAFPID-764259", "CSAFPID-764262", "CSAFPID-764263", "CSAFPID-764273", "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-765266", "CSAFPID-816824", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912062", "CSAFPID-912063", "CSAFPID-912064", "CSAFPID-912092", "CSAFPID-912093", "CSAFPID-912094", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-1751202", "CSAFPID-1751086", ], }, ], title: "CVE-2023-33201", }, { cve: "CVE-2023-39410", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, notes: [ { category: "other", text: "Deserialization of Untrusted Data", title: "CWE-502", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-764259", "CSAFPID-764262", "CSAFPID-764263", "CSAFPID-765266", "CSAFPID-816824", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1751202", "CSAFPID-1751206", "CSAFPID-1751086", "CSAFPID-1751207", "CSAFPID-1503318", ], }, references: [ { category: "self", summary: "CVE-2023-39410", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-39410.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-764259", "CSAFPID-764262", "CSAFPID-764263", "CSAFPID-765266", "CSAFPID-816824", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-1751202", "CSAFPID-1751206", "CSAFPID-1751086", "CSAFPID-1751207", "CSAFPID-1503318", ], }, ], title: "CVE-2023-39410", }, { cve: "CVE-2023-44483", cwe: { id: "CWE-532", name: "Insertion of Sensitive Information into Log File", }, notes: [ { category: "other", text: "Insertion of Sensitive Information into Log File", title: "CWE-532", }, ], product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-764259", "CSAFPID-764262", "CSAFPID-764263", "CSAFPID-765266", "CSAFPID-816824", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912062", "CSAFPID-912063", "CSAFPID-912064", "CSAFPID-912092", "CSAFPID-912093", "CSAFPID-912094", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-44483", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-44483.json", }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-764259", "CSAFPID-764262", "CSAFPID-764263", "CSAFPID-765266", "CSAFPID-816824", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912062", "CSAFPID-912063", "CSAFPID-912064", "CSAFPID-912092", "CSAFPID-912093", "CSAFPID-912094", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-44483", }, { cve: "CVE-2023-48795", cwe: { id: "CWE-222", name: "Truncation of Security-relevant Information", }, notes: [ { category: "other", text: "Truncation of Security-relevant Information", title: "CWE-222", }, { category: "other", text: "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", title: "CWE-757", }, { category: "other", text: "Improper Validation of Integrity Check Value", title: "CWE-354", }, ], product_status: { known_affected: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-764259", "CSAFPID-764262", "CSAFPID-764263", "CSAFPID-765266", "CSAFPID-816824", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912062", "CSAFPID-912063", "CSAFPID-912064", "CSAFPID-912092", "CSAFPID-912093", "CSAFPID-912094", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, references: [ { category: "self", summary: "CVE-2023-48795", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-48795.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-8848", "CSAFPID-9300", "CSAFPID-9522", "CSAFPID-9711", "CSAFPID-93307", "CSAFPID-180190", "CSAFPID-189065", "CSAFPID-189066", "CSAFPID-189067", "CSAFPID-219770", "CSAFPID-219771", "CSAFPID-219774", "CSAFPID-220374", "CSAFPID-344845", "CSAFPID-344846", "CSAFPID-764259", "CSAFPID-764262", "CSAFPID-764263", "CSAFPID-765266", "CSAFPID-816824", "CSAFPID-816828", "CSAFPID-816829", "CSAFPID-816830", "CSAFPID-816831", "CSAFPID-816832", "CSAFPID-816833", "CSAFPID-816834", "CSAFPID-816835", "CSAFPID-816836", "CSAFPID-816837", "CSAFPID-816838", "CSAFPID-816839", "CSAFPID-816840", "CSAFPID-816841", "CSAFPID-816842", "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912062", "CSAFPID-912063", "CSAFPID-912064", "CSAFPID-912092", "CSAFPID-912093", "CSAFPID-912094", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", ], }, ], title: "CVE-2023-48795", }, { cve: "CVE-2023-51074", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, notes: [ { category: "other", text: "Stack-based Buffer Overflow", title: "CWE-121", }, ], product_status: { known_affected: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912062", "CSAFPID-912063", "CSAFPID-912064", "CSAFPID-912092", "CSAFPID-912093", "CSAFPID-912094", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-1751213", "CSAFPID-220375", "CSAFPID-1751214", "CSAFPID-1751074", ], }, references: [ { category: "self", summary: "CVE-2023-51074", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-51074.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-400309", "CSAFPID-400311", "CSAFPID-765264", "CSAFPID-765265", "CSAFPID-912062", "CSAFPID-912063", "CSAFPID-912064", "CSAFPID-912092", "CSAFPID-912093", "CSAFPID-912094", "CSAFPID-912589", "CSAFPID-912590", "CSAFPID-912591", "CSAFPID-912592", "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-1751213", "CSAFPID-220375", "CSAFPID-1751214", "CSAFPID-1751074", ], }, ], title: "CVE-2023-51074", }, { cve: "CVE-2023-52070", product_status: { known_affected: [ "CSAFPID-1751215", ], }, references: [ { category: "self", summary: "CVE-2023-52070", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-52070.json", }, ], scores: [ { cvss_v3: { baseScore: 8.4, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-1751215", ], }, ], title: "CVE-2023-52070", }, { cve: "CVE-2024-28219", cwe: { id: "CWE-120", name: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", }, notes: [ { category: "other", text: "Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", title: "CWE-120", }, { category: "other", text: "Use of Potentially Dangerous Function", title: "CWE-676", }, { category: "other", text: "Integer Overflow to Buffer Overflow", title: "CWE-680", }, ], product_status: { known_affected: [ "CSAFPID-1503631", "CSAFPID-1673499", ], }, references: [ { category: "self", summary: "CVE-2024-28219", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-28219.json", }, ], scores: [ { cvss_v3: { baseScore: 7.3, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, products: [ "CSAFPID-1503631", "CSAFPID-1673499", ], }, ], title: "CVE-2024-28219", }, { cve: "CVE-2024-34064", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, notes: [ { category: "other", text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", title: "CWE-79", }, ], product_status: { known_affected: [ "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-912094", "CSAFPID-912093", "CSAFPID-912092", "CSAFPID-912064", "CSAFPID-912063", "CSAFPID-912062", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-1673499", "CSAFPID-1751206", "CSAFPID-1751207", ], }, references: [ { category: "self", summary: "CVE-2024-34064", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-34064.json", }, ], scores: [ { cvss_v3: { baseScore: 5.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "CSAFPID-1503614", "CSAFPID-1503615", "CSAFPID-1503616", "CSAFPID-1503617", "CSAFPID-912094", "CSAFPID-912093", "CSAFPID-912092", "CSAFPID-912064", "CSAFPID-912063", "CSAFPID-912062", "CSAFPID-9711", "CSAFPID-9300", "CSAFPID-189066", "CSAFPID-189065", "CSAFPID-1503626", "CSAFPID-1503627", "CSAFPID-1503628", "CSAFPID-1503629", "CSAFPID-189067", "CSAFPID-93307", "CSAFPID-816828", "CSAFPID-1503630", "CSAFPID-1503631", "CSAFPID-1503632", "CSAFPID-1503633", "CSAFPID-1503634", "CSAFPID-1503635", "CSAFPID-1503636", "CSAFPID-1503319", "CSAFPID-1503318", "CSAFPID-1503637", "CSAFPID-1503638", "CSAFPID-764926", "CSAFPID-1673499", "CSAFPID-1751206", "CSAFPID-1751207", ], }, ], title: "CVE-2024-34064", }, { cve: "CVE-2024-34750", cwe: { id: "CWE-755", name: "Improper Handling of Exceptional Conditions", }, notes: [ { category: "other", text: "Improper Handling of Exceptional Conditions", title: "CWE-755", }, { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-1751202", "CSAFPID-1751086", "CSAFPID-1503318", ], }, references: [ { category: "self", summary: "CVE-2024-34750", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-34750.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-1751202", "CSAFPID-1751086", "CSAFPID-1503318", ], }, ], title: "CVE-2024-34750", }, { cve: "CVE-2024-35195", cwe: { id: "CWE-670", name: "Always-Incorrect Control Flow Implementation", }, notes: [ { category: "other", text: "Always-Incorrect Control Flow Implementation", title: "CWE-670", }, ], product_status: { known_affected: [ "CSAFPID-1673499", "CSAFPID-1503631", ], }, references: [ { category: "self", summary: "CVE-2024-35195", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-35195.json", }, ], scores: [ { cvss_v3: { baseScore: 5.7, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-1673499", "CSAFPID-1503631", ], }, ], title: "CVE-2024-35195", }, { cve: "CVE-2024-38819", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, notes: [ { category: "other", text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", title: "CWE-22", }, ], product_status: { known_affected: [ "CSAFPID-1751072", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-1751078", "CSAFPID-189067", "CSAFPID-1751083", "CSAFPID-1751086", "CSAFPID-1503631", "CSAFPID-220375", ], }, references: [ { category: "self", summary: "CVE-2024-38819", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38819.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-1751072", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-1751078", "CSAFPID-189067", "CSAFPID-1751083", "CSAFPID-1751086", "CSAFPID-1503631", "CSAFPID-220375", ], }, ], title: "CVE-2024-38819", }, { cve: "CVE-2024-38820", cwe: { id: "CWE-284", name: "Improper Access Control", }, notes: [ { category: "other", text: "Improper Access Control", title: "CWE-284", }, { category: "other", text: "Improper Handling of Case Sensitivity", title: "CWE-178", }, ], product_status: { known_affected: [ "CSAFPID-220375", "CSAFPID-1751083", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-1751078", "CSAFPID-1503631", "CSAFPID-189067", "CSAFPID-1751086", "CSAFPID-1751072", ], }, references: [ { category: "self", summary: "CVE-2024-38820", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38820.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-220375", "CSAFPID-1751083", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-1751078", "CSAFPID-1503631", "CSAFPID-189067", "CSAFPID-1751086", "CSAFPID-1751072", ], }, ], title: "CVE-2024-38820", }, { cve: "CVE-2024-38827", cwe: { id: "CWE-639", name: "Authorization Bypass Through User-Controlled Key", }, notes: [ { category: "other", text: "Authorization Bypass Through User-Controlled Key", title: "CWE-639", }, ], product_status: { known_affected: [ "CSAFPID-1503631", ], }, references: [ { category: "self", summary: "CVE-2024-38827", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38827.json", }, ], scores: [ { cvss_v3: { baseScore: 4.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, products: [ "CSAFPID-1503631", ], }, ], title: "CVE-2024-38827", }, { cve: "CVE-2024-38998", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, notes: [ { category: "other", text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", title: "CWE-1321", }, ], product_status: { known_affected: [ "CSAFPID-220375", "CSAFPID-1751083", "CSAFPID-189067", "CSAFPID-1503318", "CSAFPID-1751202", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-1751078", "CSAFPID-1751213", "CSAFPID-1751214", "CSAFPID-219774", "CSAFPID-1751086", "CSAFPID-1751072", ], }, references: [ { category: "self", summary: "CVE-2024-38998", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38998.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-220375", "CSAFPID-1751083", "CSAFPID-189067", "CSAFPID-1503318", "CSAFPID-1751202", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-1751078", "CSAFPID-1751213", "CSAFPID-1751214", "CSAFPID-219774", "CSAFPID-1751086", "CSAFPID-1751072", ], }, ], title: "CVE-2024-38998", }, { cve: "CVE-2024-38999", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, notes: [ { category: "other", text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", title: "CWE-1321", }, ], product_status: { known_affected: [ "CSAFPID-220375", "CSAFPID-1751083", "CSAFPID-189067", "CSAFPID-1503318", "CSAFPID-1751202", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-1751078", "CSAFPID-1751213", "CSAFPID-1751214", "CSAFPID-219774", "CSAFPID-1751086", "CSAFPID-1751072", ], }, references: [ { category: "self", summary: "CVE-2024-38999", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38999.json", }, ], scores: [ { cvss_v3: { baseScore: 10, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-220375", "CSAFPID-1751083", "CSAFPID-189067", "CSAFPID-1503318", "CSAFPID-1751202", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-1751078", "CSAFPID-1751213", "CSAFPID-1751214", "CSAFPID-219774", "CSAFPID-1751086", "CSAFPID-1751072", ], }, ], title: "CVE-2024-38999", }, { cve: "CVE-2024-45490", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, notes: [ { category: "other", text: "Integer Overflow or Wraparound", title: "CWE-190", }, { category: "other", text: "Incorrect Calculation of Buffer Size", title: "CWE-131", }, { category: "other", text: "Improper Restriction of XML External Entity Reference", title: "CWE-611", }, ], product_status: { known_affected: [ "CSAFPID-189067", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-220375", ], }, references: [ { category: "self", summary: "CVE-2024-45490", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45490.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-189067", "CSAFPID-1503630", "CSAFPID-1751074", "CSAFPID-220375", ], }, ], title: "CVE-2024-45490", }, { cve: "CVE-2024-45491", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, notes: [ { category: "other", text: "Integer Overflow or Wraparound", title: "CWE-190", }, ], product_status: { known_affected: [ "CSAFPID-220375", "CSAFPID-1503630", "CSAFPID-189067", "CSAFPID-1751074", ], }, references: [ { category: "self", summary: "CVE-2024-45491", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45491.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-220375", "CSAFPID-1503630", "CSAFPID-189067", "CSAFPID-1751074", ], }, ], title: "CVE-2024-45491", }, { cve: "CVE-2024-45492", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, notes: [ { category: "other", text: "Integer Overflow or Wraparound", title: "CWE-190", }, ], product_status: { known_affected: [ "CSAFPID-220375", "CSAFPID-1503630", "CSAFPID-189067", "CSAFPID-1751074", ], }, references: [ { category: "self", summary: "CVE-2024-45492", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45492.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-220375", "CSAFPID-1503630", "CSAFPID-189067", "CSAFPID-1751074", ], }, ], title: "CVE-2024-45492", }, { cve: "CVE-2025-21550", product_status: { known_affected: [ "CSAFPID-189067", "CSAFPID-1503630", "CSAFPID-1751074", ], }, references: [ { category: "self", summary: "CVE-2025-21550", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-21550.json", }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "CSAFPID-189067", "CSAFPID-1503630", "CSAFPID-1751074", ], }, ], title: "CVE-2025-21550", }, ], }
fkie_cve-2023-51074
Vulnerability from fkie_nvd
Published
2023-12-27 21:15
Modified
2024-11-21 08:37
Severity ?
Summary
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/json-path/JsonPath/issues/973 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/json-path/JsonPath/issues/973 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| json-path | jayway_jsonpath | 2.8.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:json-path:jayway_jsonpath:2.8.0:*:*:*:*:*:*:*", matchCriteriaId: "8D81ECFA-DBD4-4079-9481-327D08E8E5A0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.", }, { lang: "es", value: "Se descubrió que json-path v2.8.0 contenía un desbordamiento de pila mediante el método Criteria.parse().", }, ], id: "CVE-2023-51074", lastModified: "2024-11-21T08:37:48.267", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-27T21:15:08.253", references: [ { source: "cve@mitre.org", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/json-path/JsonPath/issues/973", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/json-path/JsonPath/issues/973", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.