Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2024-47072
Vulnerability from cvelistv5
Published
2024-11-07 23:38
Modified
2024-11-08 15:20
Severity ?
EPSS score ?
Summary
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
References
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:x-stream:x-stream:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "x-stream", vendor: "x-stream", versions: [ { lessThan: "1.4.21", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-47072", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-11-08T15:17:42.864003Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-08T15:20:08.949Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "xstream", vendor: "x-stream", versions: [ { status: "affected", version: "< 1.4.21", }, ], }, ], descriptions: [ { lang: "en", value: "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-121", description: "CWE-121: Stack-based Buffer Overflow", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-502", description: "CWE-502: Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-07T23:38:52.978Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { name: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", tags: [ "x_refsource_MISC", ], url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { name: "https://x-stream.github.io/CVE-2024-47072.html", tags: [ "x_refsource_MISC", ], url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], source: { advisory: "GHSA-hfq9-hggm-c56q", discovery: "UNKNOWN", }, title: "XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-47072", datePublished: "2024-11-07T23:38:52.978Z", dateReserved: "2024-09-17T17:42:37.029Z", dateUpdated: "2024-11-08T15:20:08.949Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { descriptions: "[{\"lang\": \"en\", \"value\": \"XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.\"}, {\"lang\": \"es\", \"value\": \"XStream es una librer\\u00eda sencilla para serializar objetos en formato XML y viceversa. Esta vulnerabilidad puede permitir que un atacante remoto finalice la aplicaci\\u00f3n con un error de desbordamiento de pila que resulte en una denegaci\\u00f3n de servicio solo al manipular el flujo de entrada procesado cuando XStream est\\u00e1 configurado para usar BinaryStreamDriver. Se ha aplicado un parche a XStream 1.4.21 para detectar la manipulaci\\u00f3n en el flujo de entrada binario que causa el desbordamiento de pila y genera una InputManipulationException en su lugar. Se recomienda a los usuarios que actualicen la versi\\u00f3n. Los usuarios que no puedan actualizar la versi\\u00f3n pueden detectar el StackOverflowError en el c\\u00f3digo del cliente que llama a XStream si XStream est\\u00e1 configurado para usar BinaryStreamDriver.\"}]", id: "CVE-2024-47072", lastModified: "2024-11-08T19:01:03.880", metrics: "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}", published: "2024-11-08T00:15:14.937", references: "[{\"url\": \"https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://x-stream.github.io/CVE-2024-47072.html\", \"source\": \"security-advisories@github.com\"}]", sourceIdentifier: "security-advisories@github.com", vulnStatus: "Awaiting Analysis", weaknesses: "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-121\"}, {\"lang\": \"en\", \"value\": \"CWE-502\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2024-47072\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-08T00:15:14.937\",\"lastModified\":\"2024-11-08T19:01:03.880\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.\"},{\"lang\":\"es\",\"value\":\"XStream es una librería sencilla para serializar objetos en formato XML y viceversa. Esta vulnerabilidad puede permitir que un atacante remoto finalice la aplicación con un error de desbordamiento de pila que resulte en una denegación de servicio solo al manipular el flujo de entrada procesado cuando XStream está configurado para usar BinaryStreamDriver. Se ha aplicado un parche a XStream 1.4.21 para detectar la manipulación en el flujo de entrada binario que causa el desbordamiento de pila y genera una InputManipulationException en su lugar. Se recomienda a los usuarios que actualicen la versión. Los usuarios que no puedan actualizar la versión pueden detectar el StackOverflowError en el código del cliente que llama a XStream si XStream está configurado para usar BinaryStreamDriver.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-121\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://x-stream.github.io/CVE-2024-47072.html\",\"source\":\"security-advisories@github.com\"}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47072\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-08T15:17:42.864003Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:x-stream:x-stream:*:*:*:*:*:*:*:*\"], \"vendor\": \"x-stream\", \"product\": \"x-stream\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.4.21\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-08T15:19:32.931Z\"}}], \"cna\": {\"title\": \"XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream\", \"source\": {\"advisory\": \"GHSA-hfq9-hggm-c56q\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"x-stream\", \"product\": \"xstream\", \"versions\": [{\"status\": \"affected\", \"version\": \"< 1.4.21\"}]}], \"references\": [{\"url\": \"https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q\", \"name\": \"https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266\", \"name\": \"https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://x-stream.github.io/CVE-2024-47072.html\", \"name\": \"https://x-stream.github.io/CVE-2024-47072.html\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-121\", \"description\": \"CWE-121: Stack-based Buffer Overflow\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-07T23:38:52.978Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2024-47072\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-08T15:20:08.949Z\", \"dateReserved\": \"2024-09-17T17:42:37.029Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-07T23:38:52.978Z\", \"assignerShortName\": \"GitHub_M\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
wid-sec-w-2024-3544
Vulnerability from csaf_certbund
Published
2024-11-25 23:00
Modified
2024-12-22 23:00
Summary
Red Hat JBoss Data Grid: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat JBoss Data Grid ist eine verteilte In-Memory-Datenbank für den schnellen Zugriff auf große Datenvolumen und Skalierbarkeit.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Data Grid ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und um einen Denial-of-Service-Zustand zu erzeugen.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Red Hat JBoss Data Grid ist eine verteilte In-Memory-Datenbank für den schnellen Zugriff auf große Datenvolumen und Skalierbarkeit.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat JBoss Data Grid ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und um einen Denial-of-Service-Zustand zu erzeugen.", title: "Angriff", }, { category: "general", text: "- Sonstiges\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-3544 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3544.json", }, { category: "self", summary: "WID-SEC-2024-3544 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3544", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:10214 vom 2024-11-25", url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2024-2707 vom 2024-12-20", url: "https://alas.aws.amazon.com/AL2/ALAS-2024-2707.html", }, { category: "external", summary: "Debian Security Advisory DLA-4001 vom 2024-12-21", url: "https://lists.debian.org/debian-lts-announce/2024/12/msg00023.html", }, ], source_lang: "en-US", title: "Red Hat JBoss Data Grid: Mehrere Schwachstellen", tracking: { current_release_date: "2024-12-22T23:00:00.000+00:00", generator: { date: "2024-12-23T09:12:30.409+00:00", engine: { name: "BSI-WID", version: "1.3.10", }, }, id: "WID-SEC-W-2024-3544", initial_release_date: "2024-11-25T23:00:00.000+00:00", revision_history: [ { date: "2024-11-25T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-12-19T23:00:00.000+00:00", number: "2", summary: "Neue Updates von Amazon aufgenommen", }, { date: "2024-12-22T23:00:00.000+00:00", number: "3", summary: "Neue Updates von Debian aufgenommen", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { category: "product_name", name: "Debian Linux", product: { name: "Debian Linux", product_id: "2951", product_identification_helper: { cpe: "cpe:/o:debian:debian_linux:-", }, }, }, ], category: "vendor", name: "Debian", }, { branches: [ { branches: [ { category: "product_version_range", name: "<8.5.2", product: { name: "Red Hat JBoss Data Grid <8.5.2", product_id: "T039428", }, }, { category: "product_version", name: "8.5.2", product: { name: "Red Hat JBoss Data Grid 8.5.2", product_id: "T039428-fixed", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:8.5.2", }, }, }, ], category: "product_name", name: "JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-43788", notes: [ { category: "description", text: "In Red Hat JBoss Data Grid existiert eine Cross-Site Scripting Schwachstelle. HTML und Script-Eingaben werden in Webpack nicht ordnungsgemäß überprüft, bevor sie an den Benutzer zurückgegeben werden. Ein entfernter, anonymer Angreifer kann durch Ausnutzung dieser Schwachstelle beliebigen HTML- und Script-Code durch den Browser des Benutzers im Kontext der betroffenen Seite ausführen. Zur erfolgreichen Ausnutzung ist eine Benutzeraktion erforderlich. Für eine erfolgreiche Ausnutzung müssen bestimmte Bedingungen erfüllt sein. DOM-Clobbering kann nur in Szenarien ausgenutzt werden, in denen ein Angreifer nicht sanitisierte HTML-Attribute einfügen kann.", }, ], product_status: { known_affected: [ "2951", "T039428", "398363", ], }, release_date: "2024-11-25T23:00:00.000+00:00", title: "CVE-2024-43788", }, { cve: "CVE-2024-47072", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Red Hat JBoss Data Grid. Dieser Fehler betrifft die XStream-Bibliothek aufgrund einer unsachgemäßen Behandlung von binären Input-Streams, wenn sie für die Verwendung des BinaryStreamDriver konfiguriert ist, was eine Unterbrechung des Dienstes ermöglicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, indem er einen bösartigen binären Eingabestrom erstellt, um einen Stack Overflow auszulösen.", }, ], product_status: { known_affected: [ "2951", "T039428", "398363", ], }, release_date: "2024-11-25T23:00:00.000+00:00", title: "CVE-2024-47072", }, ], }
fkie_cve-2024-47072
Vulnerability from fkie_nvd
Published
2024-11-08 00:15
Modified
2024-11-08 19:01
Severity ?
Summary
XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
References
Impacted products
| Vendor | Product | Version |
|---|
{ cveTags: [], descriptions: [ { lang: "en", value: "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.", }, { lang: "es", value: "XStream es una librería sencilla para serializar objetos en formato XML y viceversa. Esta vulnerabilidad puede permitir que un atacante remoto finalice la aplicación con un error de desbordamiento de pila que resulte en una denegación de servicio solo al manipular el flujo de entrada procesado cuando XStream está configurado para usar BinaryStreamDriver. Se ha aplicado un parche a XStream 1.4.21 para detectar la manipulación en el flujo de entrada binario que causa el desbordamiento de pila y genera una InputManipulationException en su lugar. Se recomienda a los usuarios que actualicen la versión. Los usuarios que no puedan actualizar la versión pueden detectar el StackOverflowError en el código del cliente que llama a XStream si XStream está configurado para usar BinaryStreamDriver.", }, ], id: "CVE-2024-47072", lastModified: "2024-11-08T19:01:03.880", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, ], }, published: "2024-11-08T00:15:14.937", references: [ { source: "security-advisories@github.com", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { source: "security-advisories@github.com", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { source: "security-advisories@github.com", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Awaiting Analysis", weaknesses: [ { description: [ { lang: "en", value: "CWE-121", }, { lang: "en", value: "CWE-502", }, ], source: "security-advisories@github.com", type: "Secondary", }, ], }
rhsa-2024_10214
Vulnerability from csaf_redhat
Published
2024-11-25 16:56
Modified
2024-12-17 18:59
Summary
Red Hat Security Advisory: Red Hat Data Grid 8.5.2 security update
Notes
Topic
An update for Red Hat Data Grid 8 is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.5.2 replaces Data Grid 8.5.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.2 in the Release Notes[3].
Security Fix(es):
* CVE-2024-47072 com.thoughtworks.xstream/xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream [jdg-8] (CVE-2024-47072)
* CVE-2024-43788 webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule [jdg-8] (CVE-2024-43788)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.5.2 replaces Data Grid 8.5.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.2 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* CVE-2024-47072 com.thoughtworks.xstream/xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream [jdg-8] (CVE-2024-47072)\n\n* CVE-2024-43788 webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule [jdg-8] (CVE-2024-43788)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:10214", url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.5/html-single/red_hat_data_grid_8.5_release_notes/index", url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.5/html-single/red_hat_data_grid_8.5_release_notes/index", }, { category: "external", summary: "2308193", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308193", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10214.json", }, ], title: "Red Hat Security Advisory: Red Hat Data Grid 8.5.2 security update", tracking: { current_release_date: "2024-12-17T18:59:59+00:00", generator: { date: "2024-12-17T18:59:59+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2024:10214", initial_release_date: "2024-11-25T16:56:04+00:00", revision_history: [ { date: "2024-11-25T16:56:04+00:00", number: "1", summary: "Initial version", }, { date: "2024-11-25T16:56:04+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T18:59:59+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Data Grid", product: { name: "Red Hat Data Grid", product_id: "Red Hat Data Grid", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:8", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-43788", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-08-27T17:20:06.890123+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2308193", }, ], notes: [ { category: "description", text: "A DOM Clobbering vulnerability was found in Webpack via `AutoPublicPathRuntimeModule`. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script through seemingly benign HTML markups in the webpage, for example, through a post or comment, and leverages the gadgets (pieces of JS code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to Cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or ID attributes.", title: "Vulnerability description", }, { category: "summary", text: "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", title: "Vulnerability summary", }, { category: "other", text: "The severity of this issue is classified as moderate rather than important due to the specific conditions required for exploitation. DOM Clobbering, while serious, can only be leveraged in environments where an attacker has the ability to inject unsanitized HTML attributes (e.g., `name` or `id`) into a web page. This limits the attack surface to applications that improperly sanitize user input and rely on Webpack-generated files. Furthermore, the exploitation depends on existing vulnerabilities in the sanitization process, rather than the direct execution of arbitrary scripts. As a result, while the issue can lead to XSS, its impact is constrained by the contextual requirement of HTML injection, lowering its overall severity compared to more direct XSS vectors.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43788", }, { category: "external", summary: "RHBZ#2308193", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308193", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43788", url: "https://www.cve.org/CVERecord?id=CVE-2024-43788", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", }, { category: "external", summary: "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", url: "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", }, { category: "external", summary: "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", url: "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", }, { category: "external", summary: "https://research.securitum.com/xss-in-amp4email-dom-clobbering", url: "https://research.securitum.com/xss-in-amp4email-dom-clobbering", }, { category: "external", summary: "https://scnps.co/papers/sp23_domclob.pdf", url: "https://scnps.co/papers/sp23_domclob.pdf", }, ], release_date: "2024-08-27T17:15:07.967000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-25T16:56:04+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Data Grid", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat Data Grid", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat Data Grid", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", }, { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-25T16:56:04+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Data Grid", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat Data Grid", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, ], }
rhsa-2024:10214
Vulnerability from csaf_redhat
Published
2024-11-25 16:56
Modified
2025-03-24 11:43
Summary
Red Hat Security Advisory: Red Hat Data Grid 8.5.2 security update
Notes
Topic
An update for Red Hat Data Grid 8 is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.5.2 replaces Data Grid 8.5.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.2 in the Release Notes[3].
Security Fix(es):
* CVE-2024-47072 com.thoughtworks.xstream/xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream [jdg-8] (CVE-2024-47072)
* CVE-2024-43788 webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule [jdg-8] (CVE-2024-43788)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.5.2 replaces Data Grid 8.5.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.2 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* CVE-2024-47072 com.thoughtworks.xstream/xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream [jdg-8] (CVE-2024-47072)\n\n* CVE-2024-43788 webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule [jdg-8] (CVE-2024-43788)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:10214", url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.5/html-single/red_hat_data_grid_8.5_release_notes/index", url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.5/html-single/red_hat_data_grid_8.5_release_notes/index", }, { category: "external", summary: "2308193", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308193", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10214.json", }, ], title: "Red Hat Security Advisory: Red Hat Data Grid 8.5.2 security update", tracking: { current_release_date: "2025-03-24T11:43:41+00:00", generator: { date: "2025-03-24T11:43:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:10214", initial_release_date: "2024-11-25T16:56:04+00:00", revision_history: [ { date: "2024-11-25T16:56:04+00:00", number: "1", summary: "Initial version", }, { date: "2024-11-25T16:56:04+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-24T11:43:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Data Grid", product: { name: "Red Hat Data Grid", product_id: "Red Hat Data Grid", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:8", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-43788", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-08-27T17:20:06.890123+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2308193", }, ], notes: [ { category: "description", text: "A DOM Clobbering vulnerability was found in Webpack via `AutoPublicPathRuntimeModule`. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script through seemingly benign HTML markups in the webpage, for example, through a post or comment, and leverages the gadgets (pieces of JS code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to Cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or ID attributes.", title: "Vulnerability description", }, { category: "summary", text: "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", title: "Vulnerability summary", }, { category: "other", text: "The severity of this issue is classified as moderate rather than important due to the specific conditions required for exploitation. DOM Clobbering, while serious, can only be leveraged in environments where an attacker has the ability to inject unsanitized HTML attributes (e.g., `name` or `id`) into a web page. This limits the attack surface to applications that improperly sanitize user input and rely on Webpack-generated files. Furthermore, the exploitation depends on existing vulnerabilities in the sanitization process, rather than the direct execution of arbitrary scripts. As a result, while the issue can lead to XSS, its impact is constrained by the contextual requirement of HTML injection, lowering its overall severity compared to more direct XSS vectors.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43788", }, { category: "external", summary: "RHBZ#2308193", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308193", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43788", url: "https://www.cve.org/CVERecord?id=CVE-2024-43788", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", }, { category: "external", summary: "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", url: "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", }, { category: "external", summary: "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", url: "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", }, { category: "external", summary: "https://research.securitum.com/xss-in-amp4email-dom-clobbering", url: "https://research.securitum.com/xss-in-amp4email-dom-clobbering", }, { category: "external", summary: "https://scnps.co/papers/sp23_domclob.pdf", url: "https://scnps.co/papers/sp23_domclob.pdf", }, ], release_date: "2024-08-27T17:15:07.967000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-25T16:56:04+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Data Grid", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat Data Grid", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat Data Grid", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", }, { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-25T16:56:04+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Data Grid", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat Data Grid", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, ], }
RHSA-2024:10214
Vulnerability from csaf_redhat
Published
2024-11-25 16:56
Modified
2025-03-24 11:43
Summary
Red Hat Security Advisory: Red Hat Data Grid 8.5.2 security update
Notes
Topic
An update for Red Hat Data Grid 8 is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.
Data Grid 8.5.2 replaces Data Grid 8.5.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.2 in the Release Notes[3].
Security Fix(es):
* CVE-2024-47072 com.thoughtworks.xstream/xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream [jdg-8] (CVE-2024-47072)
* CVE-2024-43788 webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule [jdg-8] (CVE-2024-43788)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Red Hat Data Grid 8 is now available.\n \nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale.\n \nData Grid 8.5.2 replaces Data Grid 8.5.1 and includes bug fixes and enhancements. Find out more about Data Grid 8.5.2 in the Release Notes[3].\n\nSecurity Fix(es):\n\n* CVE-2024-47072 com.thoughtworks.xstream/xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream [jdg-8] (CVE-2024-47072)\n\n* CVE-2024-43788 webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule [jdg-8] (CVE-2024-43788)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:10214", url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.5/html-single/red_hat_data_grid_8.5_release_notes/index", url: "https://access.redhat.com/documentation/en-us/red_hat_data_grid/8.5/html-single/red_hat_data_grid_8.5_release_notes/index", }, { category: "external", summary: "2308193", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308193", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_10214.json", }, ], title: "Red Hat Security Advisory: Red Hat Data Grid 8.5.2 security update", tracking: { current_release_date: "2025-03-24T11:43:41+00:00", generator: { date: "2025-03-24T11:43:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2024:10214", initial_release_date: "2024-11-25T16:56:04+00:00", revision_history: [ { date: "2024-11-25T16:56:04+00:00", number: "1", summary: "Initial version", }, { date: "2024-11-25T16:56:04+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-24T11:43:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Data Grid", product: { name: "Red Hat Data Grid", product_id: "Red Hat Data Grid", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_data_grid:8", }, }, }, ], category: "product_family", name: "Red Hat JBoss Data Grid", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-43788", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-08-27T17:20:06.890123+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2308193", }, ], notes: [ { category: "description", text: "A DOM Clobbering vulnerability was found in Webpack via `AutoPublicPathRuntimeModule`. DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script through seemingly benign HTML markups in the webpage, for example, through a post or comment, and leverages the gadgets (pieces of JS code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to Cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or ID attributes.", title: "Vulnerability description", }, { category: "summary", text: "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", title: "Vulnerability summary", }, { category: "other", text: "The severity of this issue is classified as moderate rather than important due to the specific conditions required for exploitation. DOM Clobbering, while serious, can only be leveraged in environments where an attacker has the ability to inject unsanitized HTML attributes (e.g., `name` or `id`) into a web page. This limits the attack surface to applications that improperly sanitize user input and rely on Webpack-generated files. Furthermore, the exploitation depends on existing vulnerabilities in the sanitization process, rather than the direct execution of arbitrary scripts. As a result, while the issue can lead to XSS, its impact is constrained by the contextual requirement of HTML injection, lowering its overall severity compared to more direct XSS vectors.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43788", }, { category: "external", summary: "RHBZ#2308193", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308193", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43788", url: "https://www.cve.org/CVERecord?id=CVE-2024-43788", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43788", }, { category: "external", summary: "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", url: "https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61", }, { category: "external", summary: "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", url: "https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986", }, { category: "external", summary: "https://research.securitum.com/xss-in-amp4email-dom-clobbering", url: "https://research.securitum.com/xss-in-amp4email-dom-clobbering", }, { category: "external", summary: "https://scnps.co/papers/sp23_domclob.pdf", url: "https://scnps.co/papers/sp23_domclob.pdf", }, ], release_date: "2024-08-27T17:15:07.967000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-25T16:56:04+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Data Grid", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat Data Grid", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "Red Hat Data Grid", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "webpack: DOM Clobbering vulnerability in AutoPublicPathRuntimeModule", }, { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Data Grid", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-25T16:56:04+00:00", details: "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Red Hat Data Grid", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:10214", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Red Hat Data Grid", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Red Hat Data Grid", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, ], }
rhsa-2025:2221
Vulnerability from csaf_redhat
Published
2025-03-04 14:39
Modified
2025-03-19 19:40
Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.14 Openshift Jenkins security update
Notes
Topic
An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14.
Red Hat Product Security has rated this update as having a security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,
is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline
Declarative Plugin Allows Restart of Builds with Unapproved
Jenkinsfile(CVE-2024-52551)
* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin
File Disclosure Vulnerability(CVE-2024-52549)
* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for
Rebuilt Jenkins Pipelines(CVE-2024-52550)
* jenkins: XStream is vulnerable to a Denial of Service attack due to stack
overflow from a manipulated binary input stream(CVE-2024-47072)
* jenkins: Mishandling of an unbalanced comment string in
json-lib(CVE-2024-47855)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14.\nRed Hat Product Security has rated this update as having a security impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,\nis available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated\njobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline\nDeclarative Plugin Allows Restart of Builds with Unapproved\nJenkinsfile(CVE-2024-52551)\n* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin\nFile Disclosure Vulnerability(CVE-2024-52549)\n* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for\nRebuilt Jenkins Pipelines(CVE-2024-52550)\n* jenkins: XStream is vulnerable to a Denial of Service attack due to stack\noverflow from a manipulated binary input stream(CVE-2024-47072)\n* jenkins: Mishandling of an unbalanced comment string in\njson-lib(CVE-2024-47855)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments,\nand other related information, refer to the CVE page listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2025:2221", url: "https://access.redhat.com/errata/RHSA-2025:2221", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2221.json", }, ], title: "Red Hat Security Advisory: Red Hat Product OCP Tools 4.14 Openshift Jenkins security update", tracking: { current_release_date: "2025-03-19T19:40:00+00:00", generator: { date: "2025-03-19T19:40:00+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2025:2221", initial_release_date: "2025-03-04T14:39:57+00:00", revision_history: [ { date: "2025-03-04T14:39:57+00:00", number: "1", summary: "Initial version", }, { date: "2025-03-04T14:39:57+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T19:40:00+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.14", product: { name: "OpenShift Developer Tools and Services for OCP 4.14", product_id: "8Base-OCP-Tools-4.14", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.14::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1740109575-3.el8.src", product: { name: "jenkins-0:2.479.3.1740109575-3.el8.src", product_id: "jenkins-0:2.479.3.1740109575-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1740109575-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.14.1740109868-1.el8.src", product: { name: "jenkins-2-plugins-0:4.14.1740109868-1.el8.src", product_id: "jenkins-2-plugins-0:4.14.1740109868-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.14.1740109868-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1740109575-3.el8.noarch", product: { name: "jenkins-0:2.479.3.1740109575-3.el8.noarch", product_id: "jenkins-0:2.479.3.1740109575-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1740109575-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.14.1740109868-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1740109575-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.14", product_id: "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", }, product_reference: "jenkins-0:2.479.3.1740109575-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.14", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1740109575-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.14", product_id: "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", }, product_reference: "jenkins-0:2.479.3.1740109575-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.14", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.14", product_id: "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.14", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.14.1740109868-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.14", product_id: "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.14.1740109868-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.14", }, ], }, vulnerabilities: [ { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2221", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, { cve: "CVE-2024-47855", cwe: { id: "CWE-1286", name: "Improper Validation of Syntactic Correctness of Input", }, discovery_date: "2024-10-04T06:00:55.617408+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316421", }, ], notes: [ { category: "description", text: "A flaw was found in JSON-lib's JSONTokener component. This vulnerability allows a denial of service via an unbalanced comment string.", title: "Vulnerability description", }, { category: "summary", text: "json-lib: Mishandling of an unbalanced comment string in json-lib", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47855", }, { category: "external", summary: "RHBZ#2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47855", url: "https://www.cve.org/CVERecord?id=CVE-2024-47855", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", }, { category: "external", summary: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", url: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", }, { category: "external", summary: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", url: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", }, { category: "external", summary: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", url: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", }, ], release_date: "2024-10-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2221", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-lib: Mishandling of an unbalanced comment string in json-lib", }, { cve: "CVE-2024-52549", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:01:25.191886+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326034", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Script Security Plugin. This vulnerability allows attackers with Overall/Read permission to check for the existence of files on the controller file system via a method that implements form validation that does not perform a permission check.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52549", }, { category: "external", summary: "RHBZ#2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52549", url: "https://www.cve.org/CVERecord?id=CVE-2024-52549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", }, ], release_date: "2024-11-13T20:53:00.291000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2221", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", }, { cve: "CVE-2024-52550", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:09.374298+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326043", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Groovy Plugin (jenkins-plugin/workflow-cps). This vulnerability allows attackers with Item/Build permission to rebuild a previous build whose main (Jenkinsfile) script is no longer approved, bypassing script approval checks via the rebuild action.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is considered of important severity rather than moderate because it allows attackers with the `Item/Build` permission to trigger the execution of previously unapproved Jenkinsfiles during the rebuild process. Jenkinsfiles often contain critical pipeline scripts that can interact with sensitive systems and data, including environment variables, credentials, and system configurations. If these scripts are not properly approved, malicious or unauthorized code could be executed, potentially leading to arbitrary code execution, privilege escalation, or data manipulation. The lack of a re-approval check for rebuilt builds bypasses essential security controls, which can be exploited by attackers to gain unauthorized access or compromise the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52550", }, { category: "external", summary: "RHBZ#2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52550", url: "https://www.cve.org/CVERecord?id=CVE-2024-52550", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", }, ], release_date: "2024-11-13T20:53:00.972000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2221", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", }, { cve: "CVE-2024-52551", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:23.613996+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326047", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins Pipeline: Declarative Plugin (pipeline-model-definition). This vulnerability allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved via insufficient script approval checks.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Important due to the risk it poses by allowing attackers with Item/Build permissions to restart a previous build using an unapproved Jenkinsfile script, this could result in unauthorized execution of scripts, compromising the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52551", }, { category: "external", summary: "RHBZ#2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52551", url: "https://www.cve.org/CVERecord?id=CVE-2024-52551", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", }, ], release_date: "2024-11-13T20:53:01.666000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2221", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-0:2.479.3.1740109575-3.el8.src", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.noarch", "8Base-OCP-Tools-4.14:jenkins-2-plugins-0:4.14.1740109868-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", }, ], }
rhsa-2025:2219
Vulnerability from csaf_redhat
Published
2025-03-04 14:19
Modified
2025-03-19 19:40
Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.16 Openshift Jenkins security update
Notes
Topic
An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.16.
Red Hat Product Security has rated this update as having a security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,
is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline
Declarative Plugin Allows Restart of Builds with Unapproved
Jenkinsfile(CVE-2024-52551)
* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin
File Disclosure Vulnerability(CVE-2024-52549)
* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for
Rebuilt Jenkins Pipelines(CVE-2024-52550)
* jenkins: XStream is vulnerable to a Denial of Service attack due to stack
overflow from a manipulated binary input stream(CVE-2024-47072)
* jenkins: Mishandling of an unbalanced comment string in
json-lib(CVE-2024-47855)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.16.\nRed Hat Product Security has rated this update as having a security impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,\nis available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated\njobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline\nDeclarative Plugin Allows Restart of Builds with Unapproved\nJenkinsfile(CVE-2024-52551)\n* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin\nFile Disclosure Vulnerability(CVE-2024-52549)\n* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for\nRebuilt Jenkins Pipelines(CVE-2024-52550)\n* jenkins: XStream is vulnerable to a Denial of Service attack due to stack\noverflow from a manipulated binary input stream(CVE-2024-47072)\n* jenkins: Mishandling of an unbalanced comment string in\njson-lib(CVE-2024-47855)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments,\nand other related information, refer to the CVE page listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2025:2219", url: "https://access.redhat.com/errata/RHSA-2025:2219", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2219.json", }, ], title: "Red Hat Security Advisory: Red Hat Product OCP Tools 4.16 Openshift Jenkins security update", tracking: { current_release_date: "2025-03-19T19:40:05+00:00", generator: { date: "2025-03-19T19:40:05+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2025:2219", initial_release_date: "2025-03-04T14:19:22+00:00", revision_history: [ { date: "2025-03-04T14:19:22+00:00", number: "1", summary: "Initial version", }, { date: "2025-03-04T14:19:22+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T19:40:05+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.16", product: { name: "OpenShift Developer Tools and Services for OCP 4.16", product_id: "9Base-OCP-Tools-4.16", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.16::el9", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1739896390-3.el9.src", product: { name: "jenkins-0:2.479.3.1739896390-3.el9.src", product_id: "jenkins-0:2.479.3.1739896390-3.el9.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1739896390-3.el9?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.16.1739896683-1.el9.src", product: { name: "jenkins-2-plugins-0:4.16.1739896683-1.el9.src", product_id: "jenkins-2-plugins-0:4.16.1739896683-1.el9.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.16.1739896683-1.el9?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1739896390-3.el9.noarch", product: { name: "jenkins-0:2.479.3.1739896390-3.el9.noarch", product_id: "jenkins-0:2.479.3.1739896390-3.el9.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1739896390-3.el9?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", product: { name: "jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", product_id: "jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.16.1739896683-1.el9?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1739896390-3.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.16", product_id: "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", }, product_reference: "jenkins-0:2.479.3.1739896390-3.el9.noarch", relates_to_product_reference: "9Base-OCP-Tools-4.16", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1739896390-3.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.16", product_id: "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", }, product_reference: "jenkins-0:2.479.3.1739896390-3.el9.src", relates_to_product_reference: "9Base-OCP-Tools-4.16", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.16", product_id: "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", }, product_reference: "jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", relates_to_product_reference: "9Base-OCP-Tools-4.16", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.16.1739896683-1.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.16", product_id: "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", }, product_reference: "jenkins-2-plugins-0:4.16.1739896683-1.el9.src", relates_to_product_reference: "9Base-OCP-Tools-4.16", }, ], }, vulnerabilities: [ { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:19:22+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2219", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, { cve: "CVE-2024-47855", cwe: { id: "CWE-1286", name: "Improper Validation of Syntactic Correctness of Input", }, discovery_date: "2024-10-04T06:00:55.617408+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316421", }, ], notes: [ { category: "description", text: "A flaw was found in JSON-lib's JSONTokener component. This vulnerability allows a denial of service via an unbalanced comment string.", title: "Vulnerability description", }, { category: "summary", text: "json-lib: Mishandling of an unbalanced comment string in json-lib", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47855", }, { category: "external", summary: "RHBZ#2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47855", url: "https://www.cve.org/CVERecord?id=CVE-2024-47855", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", }, { category: "external", summary: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", url: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", }, { category: "external", summary: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", url: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", }, { category: "external", summary: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", url: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", }, ], release_date: "2024-10-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:19:22+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2219", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-lib: Mishandling of an unbalanced comment string in json-lib", }, { cve: "CVE-2024-52549", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:01:25.191886+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326034", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Script Security Plugin. This vulnerability allows attackers with Overall/Read permission to check for the existence of files on the controller file system via a method that implements form validation that does not perform a permission check.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52549", }, { category: "external", summary: "RHBZ#2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52549", url: "https://www.cve.org/CVERecord?id=CVE-2024-52549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", }, ], release_date: "2024-11-13T20:53:00.291000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:19:22+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2219", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", }, { cve: "CVE-2024-52550", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:09.374298+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326043", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Groovy Plugin (jenkins-plugin/workflow-cps). This vulnerability allows attackers with Item/Build permission to rebuild a previous build whose main (Jenkinsfile) script is no longer approved, bypassing script approval checks via the rebuild action.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is considered of important severity rather than moderate because it allows attackers with the `Item/Build` permission to trigger the execution of previously unapproved Jenkinsfiles during the rebuild process. Jenkinsfiles often contain critical pipeline scripts that can interact with sensitive systems and data, including environment variables, credentials, and system configurations. If these scripts are not properly approved, malicious or unauthorized code could be executed, potentially leading to arbitrary code execution, privilege escalation, or data manipulation. The lack of a re-approval check for rebuilt builds bypasses essential security controls, which can be exploited by attackers to gain unauthorized access or compromise the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52550", }, { category: "external", summary: "RHBZ#2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52550", url: "https://www.cve.org/CVERecord?id=CVE-2024-52550", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", }, ], release_date: "2024-11-13T20:53:00.972000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:19:22+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2219", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", }, { cve: "CVE-2024-52551", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:23.613996+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326047", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins Pipeline: Declarative Plugin (pipeline-model-definition). This vulnerability allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved via insufficient script approval checks.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Important due to the risk it poses by allowing attackers with Item/Build permissions to restart a previous build using an unapproved Jenkinsfile script, this could result in unauthorized execution of scripts, compromising the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52551", }, { category: "external", summary: "RHBZ#2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52551", url: "https://www.cve.org/CVERecord?id=CVE-2024-52551", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", }, ], release_date: "2024-11-13T20:53:01.666000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:19:22+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2219", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-0:2.479.3.1739896390-3.el9.src", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.noarch", "9Base-OCP-Tools-4.16:jenkins-2-plugins-0:4.16.1739896683-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", }, ], }
rhsa-2025:2223
Vulnerability from csaf_redhat
Published
2025-03-04 14:40
Modified
2025-03-19 19:40
Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.12 Openshift Jenkins security update
Notes
Topic
An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12.
Red Hat Product Security has rated this update as having a security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,
is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline
Declarative Plugin Allows Restart of Builds with Unapproved
Jenkinsfile(CVE-2024-52551)
* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin
File Disclosure Vulnerability(CVE-2024-52549)
* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for
Rebuilt Jenkins Pipelines(CVE-2024-52550)
* jenkins: XStream is vulnerable to a Denial of Service attack due to stack
overflow from a manipulated binary input stream(CVE-2024-47072)
* jenkins: Mishandling of an unbalanced comment string in
json-lib(CVE-2024-47855)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12.\nRed Hat Product Security has rated this update as having a security impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,\nis available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated\njobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline\nDeclarative Plugin Allows Restart of Builds with Unapproved\nJenkinsfile(CVE-2024-52551)\n* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin\nFile Disclosure Vulnerability(CVE-2024-52549)\n* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for\nRebuilt Jenkins Pipelines(CVE-2024-52550)\n* jenkins: XStream is vulnerable to a Denial of Service attack due to stack\noverflow from a manipulated binary input stream(CVE-2024-47072)\n* jenkins: Mishandling of an unbalanced comment string in\njson-lib(CVE-2024-47855)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments,\nand other related information, refer to the CVE page listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2025:2223", url: "https://access.redhat.com/errata/RHSA-2025:2223", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2223.json", }, ], title: "Red Hat Security Advisory: Red Hat Product OCP Tools 4.12 Openshift Jenkins security update", tracking: { current_release_date: "2025-03-19T19:40:15+00:00", generator: { date: "2025-03-19T19:40:15+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2025:2223", initial_release_date: "2025-03-04T14:40:23+00:00", revision_history: [ { date: "2025-03-04T14:40:23+00:00", number: "1", summary: "Initial version", }, { date: "2025-03-04T14:40:23+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T19:40:15+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.12", product: { name: "OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.12::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-2-plugins-0:4.12.1740464689-1.el8.src", product: { name: "jenkins-2-plugins-0:4.12.1740464689-1.el8.src", product_id: "jenkins-2-plugins-0:4.12.1740464689-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.12.1740464689-1.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-0:2.479.3.1740464431-3.el8.src", product: { name: "jenkins-0:2.479.3.1740464431-3.el8.src", product_id: "jenkins-0:2.479.3.1740464431-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1740464431-3.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.12.1740464689-1.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-0:2.479.3.1740464431-3.el8.noarch", product: { name: "jenkins-0:2.479.3.1740464431-3.el8.noarch", product_id: "jenkins-0:2.479.3.1740464431-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1740464431-3.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1740464431-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", }, product_reference: "jenkins-0:2.479.3.1740464431-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1740464431-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", }, product_reference: "jenkins-0:2.479.3.1740464431-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.12.1740464689-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.12", product_id: "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.12.1740464689-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.12", }, ], }, vulnerabilities: [ { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:40:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2223", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, { cve: "CVE-2024-47855", cwe: { id: "CWE-1286", name: "Improper Validation of Syntactic Correctness of Input", }, discovery_date: "2024-10-04T06:00:55.617408+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316421", }, ], notes: [ { category: "description", text: "A flaw was found in JSON-lib's JSONTokener component. This vulnerability allows a denial of service via an unbalanced comment string.", title: "Vulnerability description", }, { category: "summary", text: "json-lib: Mishandling of an unbalanced comment string in json-lib", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47855", }, { category: "external", summary: "RHBZ#2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47855", url: "https://www.cve.org/CVERecord?id=CVE-2024-47855", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", }, { category: "external", summary: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", url: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", }, { category: "external", summary: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", url: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", }, { category: "external", summary: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", url: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", }, ], release_date: "2024-10-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:40:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2223", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-lib: Mishandling of an unbalanced comment string in json-lib", }, { cve: "CVE-2024-52549", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:01:25.191886+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326034", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Script Security Plugin. This vulnerability allows attackers with Overall/Read permission to check for the existence of files on the controller file system via a method that implements form validation that does not perform a permission check.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52549", }, { category: "external", summary: "RHBZ#2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52549", url: "https://www.cve.org/CVERecord?id=CVE-2024-52549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", }, ], release_date: "2024-11-13T20:53:00.291000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:40:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2223", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", }, { cve: "CVE-2024-52550", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:09.374298+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326043", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Groovy Plugin (jenkins-plugin/workflow-cps). This vulnerability allows attackers with Item/Build permission to rebuild a previous build whose main (Jenkinsfile) script is no longer approved, bypassing script approval checks via the rebuild action.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is considered of important severity rather than moderate because it allows attackers with the `Item/Build` permission to trigger the execution of previously unapproved Jenkinsfiles during the rebuild process. Jenkinsfiles often contain critical pipeline scripts that can interact with sensitive systems and data, including environment variables, credentials, and system configurations. If these scripts are not properly approved, malicious or unauthorized code could be executed, potentially leading to arbitrary code execution, privilege escalation, or data manipulation. The lack of a re-approval check for rebuilt builds bypasses essential security controls, which can be exploited by attackers to gain unauthorized access or compromise the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52550", }, { category: "external", summary: "RHBZ#2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52550", url: "https://www.cve.org/CVERecord?id=CVE-2024-52550", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", }, ], release_date: "2024-11-13T20:53:00.972000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:40:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2223", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", }, { cve: "CVE-2024-52551", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:23.613996+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326047", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins Pipeline: Declarative Plugin (pipeline-model-definition). This vulnerability allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved via insufficient script approval checks.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Important due to the risk it poses by allowing attackers with Item/Build permissions to restart a previous build using an unapproved Jenkinsfile script, this could result in unauthorized execution of scripts, compromising the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52551", }, { category: "external", summary: "RHBZ#2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52551", url: "https://www.cve.org/CVERecord?id=CVE-2024-52551", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", }, ], release_date: "2024-11-13T20:53:01.666000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:40:23+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2223", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-0:2.479.3.1740464431-3.el8.src", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.noarch", "8Base-OCP-Tools-4.12:jenkins-2-plugins-0:4.12.1740464689-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", }, ], }
rhsa-2025:2218
Vulnerability from csaf_redhat
Published
2025-03-04 14:38
Modified
2025-03-19 19:39
Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.17 Openshift Jenkins security update
Notes
Topic
An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.17.
Red Hat Product Security has rated this update as having a security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,
is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile(CVE-2024-52551)
* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability(CVE-2024-52549)
* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines(CVE-2024-52550)
* jenkins: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream(CVE-2024-47072)
* jenkins: Mishandling of an unbalanced comment string in json-lib(CVE-2024-47855)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.17.\nRed Hat Product Security has rated this update as having a security impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,\nis available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated\njobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile(CVE-2024-52551)\n* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability(CVE-2024-52549)\n* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines(CVE-2024-52550)\n* jenkins: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream(CVE-2024-47072)\n* jenkins: Mishandling of an unbalanced comment string in json-lib(CVE-2024-47855)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments,\nand other related information, refer to the CVE page listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2025:2218", url: "https://access.redhat.com/errata/RHSA-2025:2218", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2218.json", }, ], title: "Red Hat Security Advisory: Red Hat Product OCP Tools 4.17 Openshift Jenkins security update", tracking: { current_release_date: "2025-03-19T19:39:56+00:00", generator: { date: "2025-03-19T19:39:56+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2025:2218", initial_release_date: "2025-03-04T14:38:57+00:00", revision_history: [ { date: "2025-03-04T14:38:57+00:00", number: "1", summary: "Initial version", }, { date: "2025-03-04T14:38:57+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T19:39:56+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.17", product: { name: "OpenShift Developer Tools and Services for OCP 4.17", product_id: "9Base-OCP-Tools-4.17", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.17::el9", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1739859586-3.el9.src", product: { name: "jenkins-0:2.479.3.1739859586-3.el9.src", product_id: "jenkins-0:2.479.3.1739859586-3.el9.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1739859586-3.el9?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.17.1739859908-1.el9.src", product: { name: "jenkins-2-plugins-0:4.17.1739859908-1.el9.src", product_id: "jenkins-2-plugins-0:4.17.1739859908-1.el9.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.17.1739859908-1.el9?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1739859586-3.el9.noarch", product: { name: "jenkins-0:2.479.3.1739859586-3.el9.noarch", product_id: "jenkins-0:2.479.3.1739859586-3.el9.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1739859586-3.el9?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", product: { name: "jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", product_id: "jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.17.1739859908-1.el9?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1739859586-3.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.17", product_id: "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", }, product_reference: "jenkins-0:2.479.3.1739859586-3.el9.noarch", relates_to_product_reference: "9Base-OCP-Tools-4.17", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1739859586-3.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.17", product_id: "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", }, product_reference: "jenkins-0:2.479.3.1739859586-3.el9.src", relates_to_product_reference: "9Base-OCP-Tools-4.17", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch as a component of OpenShift Developer Tools and Services for OCP 4.17", product_id: "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", }, product_reference: "jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", relates_to_product_reference: "9Base-OCP-Tools-4.17", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.17.1739859908-1.el9.src as a component of OpenShift Developer Tools and Services for OCP 4.17", product_id: "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", }, product_reference: "jenkins-2-plugins-0:4.17.1739859908-1.el9.src", relates_to_product_reference: "9Base-OCP-Tools-4.17", }, ], }, vulnerabilities: [ { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:38:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2218", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, { cve: "CVE-2024-47855", cwe: { id: "CWE-1286", name: "Improper Validation of Syntactic Correctness of Input", }, discovery_date: "2024-10-04T06:00:55.617408+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316421", }, ], notes: [ { category: "description", text: "A flaw was found in JSON-lib's JSONTokener component. This vulnerability allows a denial of service via an unbalanced comment string.", title: "Vulnerability description", }, { category: "summary", text: "json-lib: Mishandling of an unbalanced comment string in json-lib", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47855", }, { category: "external", summary: "RHBZ#2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47855", url: "https://www.cve.org/CVERecord?id=CVE-2024-47855", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", }, { category: "external", summary: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", url: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", }, { category: "external", summary: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", url: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", }, { category: "external", summary: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", url: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", }, ], release_date: "2024-10-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:38:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2218", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-lib: Mishandling of an unbalanced comment string in json-lib", }, { cve: "CVE-2024-52549", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:01:25.191886+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326034", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Script Security Plugin. This vulnerability allows attackers with Overall/Read permission to check for the existence of files on the controller file system via a method that implements form validation that does not perform a permission check.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52549", }, { category: "external", summary: "RHBZ#2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52549", url: "https://www.cve.org/CVERecord?id=CVE-2024-52549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", }, ], release_date: "2024-11-13T20:53:00.291000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:38:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2218", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", }, { cve: "CVE-2024-52550", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:09.374298+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326043", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Groovy Plugin (jenkins-plugin/workflow-cps). This vulnerability allows attackers with Item/Build permission to rebuild a previous build whose main (Jenkinsfile) script is no longer approved, bypassing script approval checks via the rebuild action.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is considered of important severity rather than moderate because it allows attackers with the `Item/Build` permission to trigger the execution of previously unapproved Jenkinsfiles during the rebuild process. Jenkinsfiles often contain critical pipeline scripts that can interact with sensitive systems and data, including environment variables, credentials, and system configurations. If these scripts are not properly approved, malicious or unauthorized code could be executed, potentially leading to arbitrary code execution, privilege escalation, or data manipulation. The lack of a re-approval check for rebuilt builds bypasses essential security controls, which can be exploited by attackers to gain unauthorized access or compromise the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52550", }, { category: "external", summary: "RHBZ#2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52550", url: "https://www.cve.org/CVERecord?id=CVE-2024-52550", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", }, ], release_date: "2024-11-13T20:53:00.972000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:38:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2218", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", }, { cve: "CVE-2024-52551", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:23.613996+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326047", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins Pipeline: Declarative Plugin (pipeline-model-definition). This vulnerability allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved via insufficient script approval checks.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Important due to the risk it poses by allowing attackers with Item/Build permissions to restart a previous build using an unapproved Jenkinsfile script, this could result in unauthorized execution of scripts, compromising the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52551", }, { category: "external", summary: "RHBZ#2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52551", url: "https://www.cve.org/CVERecord?id=CVE-2024-52551", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", }, ], release_date: "2024-11-13T20:53:01.666000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:38:57+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2218", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-0:2.479.3.1739859586-3.el9.src", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.noarch", "9Base-OCP-Tools-4.17:jenkins-2-plugins-0:4.17.1739859908-1.el9.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", }, ], }
rhsa-2025:2222
Vulnerability from csaf_redhat
Published
2025-03-04 14:20
Modified
2025-03-19 19:39
Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.13 Openshift Jenkins security update
Notes
Topic
An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.13.
Red Hat Product Security has rated this update as having a security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,
is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline
Declarative Plugin Allows Restart of Builds with Unapproved
Jenkinsfile(CVE-2024-52551)
* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin
File Disclosure Vulnerability(CVE-2024-52549)
* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for
Rebuilt Jenkins Pipelines(CVE-2024-52550)
* jenkins: XStream is vulnerable to a Denial of Service attack due to stack
overflow from a manipulated binary input stream(CVE-2024-47072)
* jenkins: Mishandling of an unbalanced comment string in
json-lib(CVE-2024-47855)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.13.\nRed Hat Product Security has rated this update as having a security impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,\nis available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated\njobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline\nDeclarative Plugin Allows Restart of Builds with Unapproved\nJenkinsfile(CVE-2024-52551)\n* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin\nFile Disclosure Vulnerability(CVE-2024-52549)\n* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for\nRebuilt Jenkins Pipelines(CVE-2024-52550)\n* jenkins: XStream is vulnerable to a Denial of Service attack due to stack\noverflow from a manipulated binary input stream(CVE-2024-47072)\n* jenkins: Mishandling of an unbalanced comment string in\njson-lib(CVE-2024-47855)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments,\nand other related information, refer to the CVE page listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2025:2222", url: "https://access.redhat.com/errata/RHSA-2025:2222", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2222.json", }, ], title: "Red Hat Security Advisory: Red Hat Product OCP Tools 4.13 Openshift Jenkins security update", tracking: { current_release_date: "2025-03-19T19:39:52+00:00", generator: { date: "2025-03-19T19:39:52+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2025:2222", initial_release_date: "2025-03-04T14:20:47+00:00", revision_history: [ { date: "2025-03-04T14:20:47+00:00", number: "1", summary: "Initial version", }, { date: "2025-03-04T14:20:47+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T19:39:52+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.13", product: { name: "OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.13::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1740464433-3.el8.src", product: { name: "jenkins-0:2.479.3.1740464433-3.el8.src", product_id: "jenkins-0:2.479.3.1740464433-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1740464433-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.13.1740464698-1.el8.src", product: { name: "jenkins-2-plugins-0:4.13.1740464698-1.el8.src", product_id: "jenkins-2-plugins-0:4.13.1740464698-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.13.1740464698-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1740464433-3.el8.noarch", product: { name: "jenkins-0:2.479.3.1740464433-3.el8.noarch", product_id: "jenkins-0:2.479.3.1740464433-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1740464433-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.13.1740464698-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1740464433-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", }, product_reference: "jenkins-0:2.479.3.1740464433-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1740464433-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", }, product_reference: "jenkins-0:2.479.3.1740464433-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.13.1740464698-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.13", product_id: "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.13.1740464698-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.13", }, ], }, vulnerabilities: [ { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:20:47+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2222", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, { cve: "CVE-2024-47855", cwe: { id: "CWE-1286", name: "Improper Validation of Syntactic Correctness of Input", }, discovery_date: "2024-10-04T06:00:55.617408+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316421", }, ], notes: [ { category: "description", text: "A flaw was found in JSON-lib's JSONTokener component. This vulnerability allows a denial of service via an unbalanced comment string.", title: "Vulnerability description", }, { category: "summary", text: "json-lib: Mishandling of an unbalanced comment string in json-lib", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47855", }, { category: "external", summary: "RHBZ#2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47855", url: "https://www.cve.org/CVERecord?id=CVE-2024-47855", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", }, { category: "external", summary: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", url: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", }, { category: "external", summary: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", url: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", }, { category: "external", summary: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", url: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", }, ], release_date: "2024-10-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:20:47+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2222", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-lib: Mishandling of an unbalanced comment string in json-lib", }, { cve: "CVE-2024-52549", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:01:25.191886+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326034", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Script Security Plugin. This vulnerability allows attackers with Overall/Read permission to check for the existence of files on the controller file system via a method that implements form validation that does not perform a permission check.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52549", }, { category: "external", summary: "RHBZ#2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52549", url: "https://www.cve.org/CVERecord?id=CVE-2024-52549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", }, ], release_date: "2024-11-13T20:53:00.291000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:20:47+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2222", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", }, { cve: "CVE-2024-52550", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:09.374298+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326043", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Groovy Plugin (jenkins-plugin/workflow-cps). This vulnerability allows attackers with Item/Build permission to rebuild a previous build whose main (Jenkinsfile) script is no longer approved, bypassing script approval checks via the rebuild action.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is considered of important severity rather than moderate because it allows attackers with the `Item/Build` permission to trigger the execution of previously unapproved Jenkinsfiles during the rebuild process. Jenkinsfiles often contain critical pipeline scripts that can interact with sensitive systems and data, including environment variables, credentials, and system configurations. If these scripts are not properly approved, malicious or unauthorized code could be executed, potentially leading to arbitrary code execution, privilege escalation, or data manipulation. The lack of a re-approval check for rebuilt builds bypasses essential security controls, which can be exploited by attackers to gain unauthorized access or compromise the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52550", }, { category: "external", summary: "RHBZ#2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52550", url: "https://www.cve.org/CVERecord?id=CVE-2024-52550", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", }, ], release_date: "2024-11-13T20:53:00.972000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:20:47+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2222", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", }, { cve: "CVE-2024-52551", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:23.613996+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326047", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins Pipeline: Declarative Plugin (pipeline-model-definition). This vulnerability allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved via insufficient script approval checks.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Important due to the risk it poses by allowing attackers with Item/Build permissions to restart a previous build using an unapproved Jenkinsfile script, this could result in unauthorized execution of scripts, compromising the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52551", }, { category: "external", summary: "RHBZ#2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52551", url: "https://www.cve.org/CVERecord?id=CVE-2024-52551", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", }, ], release_date: "2024-11-13T20:53:01.666000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:20:47+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2222", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-0:2.479.3.1740464433-3.el8.src", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.noarch", "8Base-OCP-Tools-4.13:jenkins-2-plugins-0:4.13.1740464698-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", }, ], }
rhsa-2025:2220
Vulnerability from csaf_redhat
Published
2025-03-04 14:39
Modified
2025-03-19 19:40
Summary
Red Hat Security Advisory: Red Hat Product OCP Tools 4.15 Openshift Jenkins security update
Notes
Topic
An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.15.
Red Hat Product Security has rated this update as having a security impact of important.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,
is available for each vulnerability from the CVE link(s) in the References section.
Details
Jenkins is a continuous integration server that monitors executions of repeated
jobs, such as building a software project or jobs run by cron.
Security Fix(es):
* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline
Declarative Plugin Allows Restart of Builds with Unapproved
Jenkinsfile(CVE-2024-52551)
* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin
File Disclosure Vulnerability(CVE-2024-52549)
* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for
Rebuilt Jenkins Pipelines(CVE-2024-52550)
* jenkins: XStream is vulnerable to a Denial of Service attack due to stack
overflow from a manipulated binary input stream(CVE-2024-47072)
* jenkins: Mishandling of an unbalanced comment string in
json-lib(CVE-2024-47855)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.15.\nRed Hat Product Security has rated this update as having a security impact of important.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating,\nis available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Jenkins is a continuous integration server that monitors executions of repeated\njobs, such as building a software project or jobs run by cron.\n\nSecurity Fix(es):\n\n* org.jenkinsci.plugins/pipeline-model-definition: Jenkins Pipeline\nDeclarative Plugin Allows Restart of Builds with Unapproved\nJenkinsfile(CVE-2024-52551)\n* org.jenkins-ci.plugins/script-security: Jenkins Script Security Plugin\nFile Disclosure Vulnerability(CVE-2024-52549)\n* org.jenkins-ci.plugins.workflow/workflow-cps: Lack of Approval Check for\nRebuilt Jenkins Pipelines(CVE-2024-52550)\n* jenkins: XStream is vulnerable to a Denial of Service attack due to stack\noverflow from a manipulated binary input stream(CVE-2024-47072)\n* jenkins: Mishandling of an unbalanced comment string in\njson-lib(CVE-2024-47855)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments,\nand other related information, refer to the CVE page listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2025:2220", url: "https://access.redhat.com/errata/RHSA-2025:2220", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2220.json", }, ], title: "Red Hat Security Advisory: Red Hat Product OCP Tools 4.15 Openshift Jenkins security update", tracking: { current_release_date: "2025-03-19T19:40:10+00:00", generator: { date: "2025-03-19T19:40:10+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2025:2220", initial_release_date: "2025-03-04T14:39:42+00:00", revision_history: [ { date: "2025-03-04T14:39:42+00:00", number: "1", summary: "Initial version", }, { date: "2025-03-04T14:39:42+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T19:40:10+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "OpenShift Developer Tools and Services for OCP 4.15", product: { name: "OpenShift Developer Tools and Services for OCP 4.15", product_id: "8Base-OCP-Tools-4.15", product_identification_helper: { cpe: "cpe:/a:redhat:ocp_tools:4.15::el8", }, }, }, ], category: "product_family", name: "OpenShift Jenkins", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1740051993-3.el8.src", product: { name: "jenkins-0:2.479.3.1740051993-3.el8.src", product_id: "jenkins-0:2.479.3.1740051993-3.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1740051993-3.el8?arch=src", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.15.1740052174-1.el8.src", product: { name: "jenkins-2-plugins-0:4.15.1740052174-1.el8.src", product_id: "jenkins-2-plugins-0:4.15.1740052174-1.el8.src", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.15.1740052174-1.el8?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jenkins-0:2.479.3.1740051993-3.el8.noarch", product: { name: "jenkins-0:2.479.3.1740051993-3.el8.noarch", product_id: "jenkins-0:2.479.3.1740051993-3.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins@2.479.3.1740051993-3.el8?arch=noarch", }, }, }, { category: "product_version", name: "jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", product: { name: "jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", product_id: "jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jenkins-2-plugins@4.15.1740052174-1.el8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1740051993-3.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.15", product_id: "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", }, product_reference: "jenkins-0:2.479.3.1740051993-3.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.15", }, { category: "default_component_of", full_product_name: { name: "jenkins-0:2.479.3.1740051993-3.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.15", product_id: "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", }, product_reference: "jenkins-0:2.479.3.1740051993-3.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.15", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch as a component of OpenShift Developer Tools and Services for OCP 4.15", product_id: "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", }, product_reference: "jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", relates_to_product_reference: "8Base-OCP-Tools-4.15", }, { category: "default_component_of", full_product_name: { name: "jenkins-2-plugins-0:4.15.1740052174-1.el8.src as a component of OpenShift Developer Tools and Services for OCP 4.15", product_id: "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", }, product_reference: "jenkins-2-plugins-0:4.15.1740052174-1.el8.src", relates_to_product_reference: "8Base-OCP-Tools-4.15", }, ], }, vulnerabilities: [ { cve: "CVE-2024-47072", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2024-11-08T13:47:39.374198+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2324606", }, ], notes: [ { category: "description", text: "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.", title: "Vulnerability description", }, { category: "summary", text: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability’s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "RHBZ#2324606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2324606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47072", url: "https://www.cve.org/CVERecord?id=CVE-2024-47072", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { category: "external", summary: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { category: "external", summary: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { category: "external", summary: "https://x-stream.github.io/CVE-2024-47072.html", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], release_date: "2024-11-07T23:38:52.978000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2220", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }, { cve: "CVE-2024-47855", cwe: { id: "CWE-1286", name: "Improper Validation of Syntactic Correctness of Input", }, discovery_date: "2024-10-04T06:00:55.617408+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316421", }, ], notes: [ { category: "description", text: "A flaw was found in JSON-lib's JSONTokener component. This vulnerability allows a denial of service via an unbalanced comment string.", title: "Vulnerability description", }, { category: "summary", text: "json-lib: Mishandling of an unbalanced comment string in json-lib", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47855", }, { category: "external", summary: "RHBZ#2316421", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316421", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47855", url: "https://www.cve.org/CVERecord?id=CVE-2024-47855", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47855", }, { category: "external", summary: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", url: "https://github.com/advisories/GHSA-wwcp-26wc-3fxm", }, { category: "external", summary: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", url: "https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e", }, { category: "external", summary: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", url: "https://github.com/kordamp/json-lib/compare/v3.0.3...v3.1.0", }, ], release_date: "2024-10-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2220", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "json-lib: Mishandling of an unbalanced comment string in json-lib", }, { cve: "CVE-2024-52549", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:01:25.191886+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326034", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Script Security Plugin. This vulnerability allows attackers with Overall/Read permission to check for the existence of files on the controller file system via a method that implements form validation that does not perform a permission check.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52549", }, { category: "external", summary: "RHBZ#2326034", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326034", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52549", url: "https://www.cve.org/CVERecord?id=CVE-2024-52549", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52549", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447", }, ], release_date: "2024-11-13T20:53:00.291000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2220", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "jenkins-plugin/script-security: Jenkins Script Security Plugin File Disclosure Vulnerability", }, { cve: "CVE-2024-52550", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:09.374298+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326043", }, ], notes: [ { category: "description", text: "A flaw was found in the Jenkins Pipeline: Groovy Plugin (jenkins-plugin/workflow-cps). This vulnerability allows attackers with Item/Build permission to rebuild a previous build whose main (Jenkinsfile) script is no longer approved, bypassing script approval checks via the rebuild action.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is considered of important severity rather than moderate because it allows attackers with the `Item/Build` permission to trigger the execution of previously unapproved Jenkinsfiles during the rebuild process. Jenkinsfiles often contain critical pipeline scripts that can interact with sensitive systems and data, including environment variables, credentials, and system configurations. If these scripts are not properly approved, malicious or unauthorized code could be executed, potentially leading to arbitrary code execution, privilege escalation, or data manipulation. The lack of a re-approval check for rebuilt builds bypasses essential security controls, which can be exploited by attackers to gain unauthorized access or compromise the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52550", }, { category: "external", summary: "RHBZ#2326043", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326043", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52550", url: "https://www.cve.org/CVERecord?id=CVE-2024-52550", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52550", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3362", }, ], release_date: "2024-11-13T20:53:00.972000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2220", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/workflow-cps: Lack of Approval Check for Rebuilt Jenkins Pipelines", }, { cve: "CVE-2024-52551", cwe: { id: "CWE-862", name: "Missing Authorization", }, discovery_date: "2024-11-13T21:02:23.613996+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2326047", }, ], notes: [ { category: "description", text: "A flaw was found in Jenkins Pipeline: Declarative Plugin (pipeline-model-definition). This vulnerability allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved via insufficient script approval checks.", title: "Vulnerability description", }, { category: "summary", text: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as Important due to the risk it poses by allowing attackers with Item/Build permissions to restart a previous build using an unapproved Jenkinsfile script, this could result in unauthorized execution of scripts, compromising the integrity of the build process.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-52551", }, { category: "external", summary: "RHBZ#2326047", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2326047", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-52551", url: "https://www.cve.org/CVERecord?id=CVE-2024-52551", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-52551", }, { category: "external", summary: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", url: "https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3361", }, ], release_date: "2024-11-13T20:53:01.666000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-04T14:39:42+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://access.redhat.com/articles/11258", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2220", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-0:2.479.3.1740051993-3.el8.src", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.noarch", "8Base-OCP-Tools-4.15:jenkins-2-plugins-0:4.15.1740052174-1.el8.src", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jenkins-plugin/pipeline-model-definition: Jenkins Pipeline Declarative Plugin Allows Restart of Builds with Unapproved Jenkinsfile", }, ], }
ncsc-2025-0027
Vulnerability from csaf_ncscnl
Published
2025-01-22 13:36
Modified
2025-01-22 13:36
Summary
Kwetsbaarheden verholpen in Oracle Fusion Middleware
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten
Oracle heeft meerdere kwetsbaarheden verholpen in zijn producten, waaronder Oracle Fusion Middleware, Oracle WebLogic Server, en Oracle HTTP Server.
Interpretaties
De kwetsbaarheden bevinden zich in verschillende Oracle producten, waaronder Oracle WebLogic Server versies 12.2.1.4.0 en 14.1.1.0.0, die het mogelijk maken voor ongeauthenticeerde kwaadwillenden om toegang te krijgen tot kritieke gegevens. Dit kan leiden tot ernstige gevolgen voor de vertrouwelijkheid, integriteit en beschikbaarheid van de systemen. De kwetsbaarheid in Oracle HTTP Server versie 12.2.1.4.0 stelt kwaadwillenden in staat om ongeautoriseerde toegang te verkrijgen, met een CVSS-score van 5.3, terwijl de kwetsbaarheid in WebLogic Server een CVSS-score van 9.8 heeft, wat wijst op een kritieke impact. Kwaadwillenden kunnen ook gebruik maken van kwetsbaarheden in Oracle Fusion Middleware en andere producten om Denial-of-Service (DoS) aanvallen uit te voeren.
Oplossingen
Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans
medium
Schade
high
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-35
Path Traversal: '.../...//'
CWE-1395
Dependency on Vulnerable Third-Party Component
CWE-130
Improper Handling of Length Parameter Inconsistency
CWE-755
Improper Handling of Exceptional Conditions
CWE-732
Incorrect Permission Assignment for Critical Resource
CWE-116
Improper Encoding or Escaping of Output
CWE-190
Integer Overflow or Wraparound
CWE-532
Insertion of Sensitive Information into Log File
CWE-798
Use of Hard-coded Credentials
CWE-125
Out-of-bounds Read
CWE-284
Improper Access Control
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-295
Improper Certificate Validation
CWE-400
Uncontrolled Resource Consumption
CWE-502
Deserialization of Untrusted Data
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-611
Improper Restriction of XML External Entity Reference
CWE-787
Out-of-bounds Write
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-122
Heap-based Buffer Overflow
CWE-121
Stack-based Buffer Overflow
CWE-20
Improper Input Validation
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
{ document: { category: "csaf_security_advisory", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", }, }, lang: "nl", notes: [ { category: "legal_disclaimer", text: "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.", }, { category: "description", text: "Oracle heeft meerdere kwetsbaarheden verholpen in zijn producten, waaronder Oracle Fusion Middleware, Oracle WebLogic Server, en Oracle HTTP Server.", title: "Feiten", }, { category: "description", text: "De kwetsbaarheden bevinden zich in verschillende Oracle producten, waaronder Oracle WebLogic Server versies 12.2.1.4.0 en 14.1.1.0.0, die het mogelijk maken voor ongeauthenticeerde kwaadwillenden om toegang te krijgen tot kritieke gegevens. Dit kan leiden tot ernstige gevolgen voor de vertrouwelijkheid, integriteit en beschikbaarheid van de systemen. De kwetsbaarheid in Oracle HTTP Server versie 12.2.1.4.0 stelt kwaadwillenden in staat om ongeautoriseerde toegang te verkrijgen, met een CVSS-score van 5.3, terwijl de kwetsbaarheid in WebLogic Server een CVSS-score van 9.8 heeft, wat wijst op een kritieke impact. Kwaadwillenden kunnen ook gebruik maken van kwetsbaarheden in Oracle Fusion Middleware en andere producten om Denial-of-Service (DoS) aanvallen uit te voeren.", title: "Interpretaties", }, { category: "description", text: "Oracle heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.", title: "Oplossingen", }, { category: "general", text: "medium", title: "Kans", }, { category: "general", text: "high", title: "Schade", }, { category: "general", text: "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", title: "CWE-338", }, { category: "general", text: "Path Traversal: '.../...//'", title: "CWE-35", }, { category: "general", text: "Dependency on Vulnerable Third-Party Component", title: "CWE-1395", }, { category: "general", text: "Improper Handling of Length Parameter Inconsistency", title: "CWE-130", }, { category: "general", text: "Improper Handling of Exceptional Conditions", title: "CWE-755", }, { category: "general", text: "Incorrect Permission Assignment for Critical Resource", title: "CWE-732", }, { category: "general", text: "Improper Encoding or Escaping of Output", title: "CWE-116", }, { category: "general", text: "Integer Overflow or Wraparound", title: "CWE-190", }, { category: "general", text: "Insertion of Sensitive Information into Log File", title: "CWE-532", }, { category: "general", text: "Use of Hard-coded Credentials", title: "CWE-798", }, { category: "general", text: "Out-of-bounds Read", title: "CWE-125", }, { category: "general", text: "Improper Access Control", title: "CWE-284", }, { category: "general", text: "Improper Restriction of Operations within the Bounds of a Memory Buffer", title: "CWE-119", }, { category: "general", text: "Improper Certificate Validation", title: "CWE-295", }, { category: "general", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "general", text: "Deserialization of Untrusted Data", title: "CWE-502", }, { category: "general", text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", title: "CWE-22", }, { category: "general", text: "Improper Restriction of XML External Entity Reference", title: "CWE-611", }, { category: "general", text: "Out-of-bounds Write", title: "CWE-787", }, { category: "general", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "general", text: "Heap-based Buffer Overflow", title: "CWE-122", }, { category: "general", text: "Stack-based Buffer Overflow", title: "CWE-121", }, { category: "general", text: "Improper Input Validation", title: "CWE-20", }, { category: "general", text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", title: "CWE-79", }, ], publisher: { category: "coordinator", contact_details: "cert@ncsc.nl", name: "Nationaal Cyber Security Centrum", namespace: "https://www.ncsc.nl/", }, references: [ { category: "external", summary: "Reference - cveprojectv5; nvd; oracle", url: "https://www.oracle.com/security-alerts/cpujan2025.html", }, ], title: "Kwetsbaarheden verholpen in Oracle Fusion Middleware", tracking: { current_release_date: "2025-01-22T13:36:27.908718Z", id: "NCSC-2025-0027", initial_release_date: "2025-01-22T13:36:27.908718Z", revision_history: [ { date: "2025-01-22T13:36:27.908718Z", number: "0", summary: "Initiele versie", }, ], status: "final", version: "1.0.0", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "http_server", product: { name: "http_server", product_id: "CSAFPID-93909", product_identification_helper: { cpe: "cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "http_server", product: { name: "http_server", product_id: "CSAFPID-40303", product_identification_helper: { cpe: "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "http_server", product: { name: "http_server", product_id: "CSAFPID-912074", product_identification_helper: { cpe: "cpe:2.3:a:oracle:http_server:14.1.1.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "fusion_middleware_mapviewer", product: { name: "fusion_middleware_mapviewer", product_id: "CSAFPID-226018", product_identification_helper: { cpe: "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "fusion_middleware", product: { name: "fusion_middleware", product_id: "CSAFPID-1646487", product_identification_helper: { cpe: "cpe:2.3:a:oracle:fusion_middleware:-:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "fusion_middleware", product: { name: "fusion_middleware", product_id: "CSAFPID-332789", product_identification_helper: { cpe: "cpe:2.3:a:oracle:fusion_middleware:11.1.1.5.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "fusion_middleware", product: { name: "fusion_middleware", product_id: "CSAFPID-1747074", product_identification_helper: { cpe: "cpe:2.3:a:oracle:fusion_middleware:12.2.1.19.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "fusion_middleware", product: { name: "fusion_middleware", product_id: "CSAFPID-342815", product_identification_helper: { cpe: "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "fusion_middleware", product: { name: "fusion_middleware", product_id: "CSAFPID-271904", product_identification_helper: { cpe: "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "fusion_middleware", product: { name: "fusion_middleware", product_id: "CSAFPID-503474", product_identification_helper: { cpe: "cpe:2.3:a:oracle:fusion_middleware:14.1.1.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "fusion_middleware", product: { name: "fusion_middleware", product_id: "CSAFPID-1674670", product_identification_helper: { cpe: "cpe:2.3:a:oracle:fusion_middleware:8.5.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "weblogic_server", product: { name: "weblogic_server", product_id: "CSAFPID-3661", product_identification_helper: { cpe: "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "weblogic_server", product: { name: "weblogic_server", product_id: "CSAFPID-3660", product_identification_helper: { cpe: "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "weblogic_server", product: { name: "weblogic_server", product_id: "CSAFPID-1973", product_identification_helper: { cpe: "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "weblogic_server", product: { name: "weblogic_server", product_id: "CSAFPID-1751293", product_identification_helper: { cpe: "cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "security_service", product: { name: "security_service", product_id: "CSAFPID-199820", product_identification_helper: { cpe: "cpe:2.3:a:oracle:security_service:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "business_activity_monitoring", product: { name: "business_activity_monitoring", product_id: "CSAFPID-228157", product_identification_helper: { cpe: "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "business_activity_monitoring__bam_", product: { name: "business_activity_monitoring__bam_", product_id: "CSAFPID-764927", product_identification_helper: { cpe: "cpe:2.3:a:oracle:business_activity_monitoring__bam_:12.2.1.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "business_activity_monitoring__bam_", product: { name: "business_activity_monitoring__bam_", product_id: "CSAFPID-764928", product_identification_helper: { cpe: "cpe:2.3:a:oracle:business_activity_monitoring__bam_:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "identity_manager", product: { name: "identity_manager", product_id: "CSAFPID-220164", product_identification_helper: { cpe: "cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "managed_file_transfer", product: { name: "managed_file_transfer", product_id: "CSAFPID-204581", product_identification_helper: { cpe: "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "middleware_common_libraries_and_tools", product: { name: "middleware_common_libraries_and_tools", product_id: "CSAFPID-94398", product_identification_helper: { cpe: "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "middleware_common_libraries_and_tools", product: { name: "middleware_common_libraries_and_tools", product_id: "CSAFPID-94309", product_identification_helper: { cpe: "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "middleware_common_libraries_and_tools", product: { name: "middleware_common_libraries_and_tools", product_id: "CSAFPID-94393", product_identification_helper: { cpe: "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:14.1.1.0.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "business_process_management_suite", product: { name: "business_process_management_suite", product_id: "CSAFPID-9043", product_identification_helper: { cpe: "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "business_process_management_suite", product: { name: "business_process_management_suite", product_id: "CSAFPID-9642", product_identification_helper: { cpe: "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "outside_in_technology", product: { name: "outside_in_technology", product_id: "CSAFPID-1260", product_identification_helper: { cpe: "cpe:2.3:a:oracle:outside_in_technology:8.5.6:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "outside_in_technology", product: { name: "outside_in_technology", product_id: "CSAFPID-912053", product_identification_helper: { cpe: "cpe:2.3:a:oracle:outside_in_technology:8.5.7:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "webcenter_portal", product: { name: "webcenter_portal", product_id: "CSAFPID-135359", product_identification_helper: { cpe: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", }, }, }, { category: "product_name", name: "webcenter_portal", product: { name: "webcenter_portal", product_id: "CSAFPID-45194", product_identification_helper: { cpe: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", }, }, }, ], category: "vendor", name: "oracle", }, ], }, vulnerabilities: [ { cve: "CVE-2019-12415", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, notes: [ { category: "other", text: "Improper Restriction of XML External Entity Reference", title: "CWE-611", }, ], product_status: { known_affected: [ "CSAFPID-45194", "CSAFPID-135359", "CSAFPID-1646487", "CSAFPID-9642", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-204581", "CSAFPID-94309", "CSAFPID-1260", "CSAFPID-3661", "CSAFPID-3660", "CSAFPID-1973", "CSAFPID-94393", "CSAFPID-226018", "CSAFPID-764927", "CSAFPID-764928", "CSAFPID-9043", "CSAFPID-93909", "CSAFPID-94398", ], }, references: [ { category: "self", summary: "CVE-2019-12415", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2019/CVE-2019-12415.json", }, ], scores: [ { cvss_v3: { baseScore: 5.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-45194", "CSAFPID-135359", "CSAFPID-1646487", "CSAFPID-9642", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-204581", "CSAFPID-94309", "CSAFPID-1260", "CSAFPID-3661", "CSAFPID-3660", "CSAFPID-1973", "CSAFPID-94393", "CSAFPID-226018", "CSAFPID-764927", "CSAFPID-764928", "CSAFPID-9043", "CSAFPID-93909", "CSAFPID-94398", ], }, ], title: "CVE-2019-12415", }, { cve: "CVE-2023-7272", cwe: { id: "CWE-787", name: "Out-of-bounds Write", }, notes: [ { category: "other", text: "Out-of-bounds Write", title: "CWE-787", }, ], product_status: { known_affected: [ "CSAFPID-3660", "CSAFPID-1973", ], }, references: [ { category: "self", summary: "CVE-2023-7272", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-7272.json", }, ], scores: [ { cvss_v3: { baseScore: 8.6, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-3660", "CSAFPID-1973", ], }, ], title: "CVE-2023-7272", }, { cve: "CVE-2023-38709", cwe: { id: "CWE-113", name: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", }, notes: [ { category: "other", text: "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", title: "CWE-113", }, { category: "other", text: "Improper Validation of Specified Quantity in Input", title: "CWE-1284", }, ], product_status: { known_affected: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", ], }, references: [ { category: "self", summary: "CVE-2023-38709", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-38709.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", ], }, ], title: "CVE-2023-38709", }, { cve: "CVE-2023-39410", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, notes: [ { category: "other", text: "Deserialization of Untrusted Data", title: "CWE-502", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, ], product_status: { known_affected: [ "CSAFPID-1260", "CSAFPID-1973", "CSAFPID-3660", "CSAFPID-9642", "CSAFPID-40303", "CSAFPID-45194", "CSAFPID-94309", "CSAFPID-204581", "CSAFPID-220164", "CSAFPID-271904", ], }, references: [ { category: "self", summary: "CVE-2023-39410", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-39410.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-1260", "CSAFPID-1973", "CSAFPID-3660", "CSAFPID-9642", "CSAFPID-40303", "CSAFPID-45194", "CSAFPID-94309", "CSAFPID-204581", "CSAFPID-220164", "CSAFPID-271904", ], }, ], title: "CVE-2023-39410", }, { cve: "CVE-2023-44483", cwe: { id: "CWE-532", name: "Insertion of Sensitive Information into Log File", }, notes: [ { category: "other", text: "Insertion of Sensitive Information into Log File", title: "CWE-532", }, ], product_status: { known_affected: [ "CSAFPID-1260", "CSAFPID-1973", "CSAFPID-3660", "CSAFPID-9642", "CSAFPID-40303", "CSAFPID-45194", "CSAFPID-94309", "CSAFPID-204581", "CSAFPID-220164", "CSAFPID-271904", "CSAFPID-94393", "CSAFPID-226018", "CSAFPID-912053", "CSAFPID-912074", "CSAFPID-228157", ], }, references: [ { category: "self", summary: "CVE-2023-44483", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-44483.json", }, ], scores: [ { cvss_v3: { baseScore: 6.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-1260", "CSAFPID-1973", "CSAFPID-3660", "CSAFPID-9642", "CSAFPID-40303", "CSAFPID-45194", "CSAFPID-94309", "CSAFPID-204581", "CSAFPID-220164", "CSAFPID-271904", "CSAFPID-94393", "CSAFPID-226018", "CSAFPID-912053", "CSAFPID-912074", "CSAFPID-228157", ], }, ], title: "CVE-2023-44483", }, { cve: "CVE-2023-49582", cwe: { id: "CWE-732", name: "Incorrect Permission Assignment for Critical Resource", }, notes: [ { category: "other", text: "Incorrect Permission Assignment for Critical Resource", title: "CWE-732", }, { category: "other", text: "Improper Restriction of Operations within the Bounds of a Memory Buffer", title: "CWE-119", }, ], product_status: { known_affected: [ "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2023-49582", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-49582.json", }, ], scores: [ { cvss_v3: { baseScore: 5.5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-40303", ], }, ], title: "CVE-2023-49582", }, { cve: "CVE-2023-51775", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-332789", "CSAFPID-342815", "CSAFPID-1674670", "CSAFPID-503474", "CSAFPID-1260", "CSAFPID-1973", "CSAFPID-3660", "CSAFPID-40303", "CSAFPID-45194", "CSAFPID-94309", "CSAFPID-94393", "CSAFPID-204581", "CSAFPID-220164", "CSAFPID-226018", "CSAFPID-912053", "CSAFPID-912074", "CSAFPID-228157", "CSAFPID-271904", ], }, references: [ { category: "self", summary: "CVE-2023-51775", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-51775.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-332789", "CSAFPID-342815", "CSAFPID-1674670", "CSAFPID-503474", "CSAFPID-1260", "CSAFPID-1973", "CSAFPID-3660", "CSAFPID-40303", "CSAFPID-45194", "CSAFPID-94309", "CSAFPID-94393", "CSAFPID-204581", "CSAFPID-220164", "CSAFPID-226018", "CSAFPID-912053", "CSAFPID-912074", "CSAFPID-228157", "CSAFPID-271904", ], }, ], title: "CVE-2023-51775", }, { cve: "CVE-2024-5535", cwe: { id: "CWE-200", name: "Exposure of Sensitive Information to an Unauthorized Actor", }, notes: [ { category: "other", text: "Exposure of Sensitive Information to an Unauthorized Actor", title: "CWE-200", }, { category: "other", text: "Improper Restriction of Operations within the Bounds of a Memory Buffer", title: "CWE-119", }, { category: "other", text: "Dependency on Vulnerable Third-Party Component", title: "CWE-1395", }, ], product_status: { known_affected: [ "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-5535", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-5535.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-40303", ], }, ], title: "CVE-2024-5535", }, { cve: "CVE-2024-6119", cwe: { id: "CWE-843", name: "Access of Resource Using Incompatible Type ('Type Confusion')", }, notes: [ { category: "other", text: "Access of Resource Using Incompatible Type ('Type Confusion')", title: "CWE-843", }, ], product_status: { known_affected: [ "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-6119", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-6119.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-40303", ], }, ], title: "CVE-2024-6119", }, { cve: "CVE-2024-8096", cwe: { id: "CWE-295", name: "Improper Certificate Validation", }, notes: [ { category: "other", text: "Improper Certificate Validation", title: "CWE-295", }, ], product_status: { known_affected: [ "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-8096", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-8096.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-40303", ], }, ], title: "CVE-2024-8096", }, { cve: "CVE-2024-23635", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, notes: [ { category: "other", text: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", title: "CWE-79", }, ], product_status: { known_affected: [ "CSAFPID-1260", "CSAFPID-1973", "CSAFPID-3660", "CSAFPID-40303", "CSAFPID-45194", "CSAFPID-94309", "CSAFPID-94393", "CSAFPID-204581", "CSAFPID-220164", "CSAFPID-226018", "CSAFPID-912053", "CSAFPID-912074", "CSAFPID-228157", "CSAFPID-271904", ], }, references: [ { category: "self", summary: "CVE-2024-23635", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-23635.json", }, ], scores: [ { cvss_v3: { baseScore: 6.1, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, products: [ "CSAFPID-1260", "CSAFPID-1973", "CSAFPID-3660", "CSAFPID-40303", "CSAFPID-45194", "CSAFPID-94309", "CSAFPID-94393", "CSAFPID-204581", "CSAFPID-220164", "CSAFPID-226018", "CSAFPID-912053", "CSAFPID-912074", "CSAFPID-228157", "CSAFPID-271904", ], }, ], title: "CVE-2024-23635", }, { cve: "CVE-2024-29857", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, { category: "other", text: "Improper Input Validation", title: "CWE-20", }, { category: "other", text: "Out-of-bounds Read", title: "CWE-125", }, ], product_status: { known_affected: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", "CSAFPID-1747074", "CSAFPID-1674670", "CSAFPID-503474", ], }, references: [ { category: "self", summary: "CVE-2024-29857", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-29857.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", "CSAFPID-1747074", "CSAFPID-1674670", "CSAFPID-503474", ], }, ], title: "CVE-2024-29857", }, { cve: "CVE-2024-30171", cwe: { id: "CWE-208", name: "Observable Timing Discrepancy", }, notes: [ { category: "other", text: "Observable Timing Discrepancy", title: "CWE-208", }, { category: "other", text: "Observable Discrepancy", title: "CWE-203", }, ], product_status: { known_affected: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", ], }, references: [ { category: "self", summary: "CVE-2024-30171", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-30171.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", ], }, ], title: "CVE-2024-30171", }, { cve: "CVE-2024-30172", cwe: { id: "CWE-835", name: "Loop with Unreachable Exit Condition ('Infinite Loop')", }, notes: [ { category: "other", text: "Loop with Unreachable Exit Condition ('Infinite Loop')", title: "CWE-835", }, ], product_status: { known_affected: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", ], }, references: [ { category: "self", summary: "CVE-2024-30172", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-30172.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", ], }, ], title: "CVE-2024-30172", }, { cve: "CVE-2024-34447", cwe: { id: "CWE-706", name: "Use of Incorrectly-Resolved Name or Reference", }, notes: [ { category: "other", text: "Use of Incorrectly-Resolved Name or Reference", title: "CWE-706", }, ], product_status: { known_affected: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", ], }, references: [ { category: "self", summary: "CVE-2024-34447", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-34447.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-228157", "CSAFPID-271904", "CSAFPID-40303", "CSAFPID-220164", "CSAFPID-94309", "CSAFPID-912053", "CSAFPID-45194", "CSAFPID-3660", "CSAFPID-1973", ], }, ], title: "CVE-2024-34447", }, { cve: "CVE-2024-34750", cwe: { id: "CWE-755", name: "Improper Handling of Exceptional Conditions", }, notes: [ { category: "other", text: "Improper Handling of Exceptional Conditions", title: "CWE-755", }, { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-204581", ], }, references: [ { category: "self", summary: "CVE-2024-34750", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-34750.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-204581", ], }, ], title: "CVE-2024-34750", }, { cve: "CVE-2024-37370", cwe: { id: "CWE-130", name: "Improper Handling of Length Parameter Inconsistency", }, notes: [ { category: "other", text: "Improper Handling of Length Parameter Inconsistency", title: "CWE-130", }, ], product_status: { known_affected: [ "CSAFPID-199820", ], }, references: [ { category: "self", summary: "CVE-2024-37370", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37370.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-199820", ], }, ], title: "CVE-2024-37370", }, { cve: "CVE-2024-37371", cwe: { id: "CWE-130", name: "Improper Handling of Length Parameter Inconsistency", }, notes: [ { category: "other", text: "Improper Handling of Length Parameter Inconsistency", title: "CWE-130", }, ], product_status: { known_affected: [ "CSAFPID-199820", ], }, references: [ { category: "self", summary: "CVE-2024-37371", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-37371.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-199820", ], }, ], title: "CVE-2024-37371", }, { cve: "CVE-2024-38473", cwe: { id: "CWE-172", name: "Encoding Error", }, notes: [ { category: "other", text: "Encoding Error", title: "CWE-172", }, { category: "other", text: "Improper Encoding or Escaping of Output", title: "CWE-116", }, ], product_status: { known_affected: [ "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-38473", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38473.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-40303", ], }, ], title: "CVE-2024-38473", }, { cve: "CVE-2024-38475", cwe: { id: "CWE-284", name: "Improper Access Control", }, notes: [ { category: "other", text: "Improper Access Control", title: "CWE-284", }, { category: "other", text: "Improper Encoding or Escaping of Output", title: "CWE-116", }, { category: "other", text: "Path Traversal: '.../...//'", title: "CWE-35", }, { category: "other", text: "Stack-based Buffer Overflow", title: "CWE-121", }, { category: "other", text: "Heap-based Buffer Overflow", title: "CWE-122", }, { category: "other", text: "Use of Hard-coded Credentials", title: "CWE-798", }, { category: "other", text: "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", title: "CWE-338", }, ], product_status: { known_affected: [ "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-38475", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38475.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-40303", ], }, ], title: "CVE-2024-38475", }, { cve: "CVE-2024-38816", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, notes: [ { category: "other", text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", title: "CWE-22", }, { category: "other", text: "Relative Path Traversal", title: "CWE-23", }, ], product_status: { known_affected: [ "CSAFPID-94309", "CSAFPID-220164", ], }, references: [ { category: "self", summary: "CVE-2024-38816", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38816.json", }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-94309", "CSAFPID-220164", ], }, ], title: "CVE-2024-38816", }, { cve: "CVE-2024-38819", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, notes: [ { category: "other", text: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", title: "CWE-22", }, ], product_status: { known_affected: [ "CSAFPID-94309", "CSAFPID-220164", ], }, references: [ { category: "self", summary: "CVE-2024-38819", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38819.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-94309", "CSAFPID-220164", ], }, ], title: "CVE-2024-38819", }, { cve: "CVE-2024-38998", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, notes: [ { category: "other", text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", title: "CWE-1321", }, ], product_status: { known_affected: [ "CSAFPID-228157", "CSAFPID-9642", "CSAFPID-226018", "CSAFPID-45194", ], }, references: [ { category: "self", summary: "CVE-2024-38998", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38998.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-228157", "CSAFPID-9642", "CSAFPID-226018", "CSAFPID-45194", ], }, ], title: "CVE-2024-38998", }, { cve: "CVE-2024-38999", cwe: { id: "CWE-1321", name: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", }, notes: [ { category: "other", text: "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", title: "CWE-1321", }, ], product_status: { known_affected: [ "CSAFPID-9642", "CSAFPID-228157", "CSAFPID-332789", "CSAFPID-342815", "CSAFPID-271904", "CSAFPID-1674670", "CSAFPID-503474", "CSAFPID-226018", "CSAFPID-45194", ], }, references: [ { category: "self", summary: "CVE-2024-38999", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-38999.json", }, ], scores: [ { cvss_v3: { baseScore: 10, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-9642", "CSAFPID-228157", "CSAFPID-332789", "CSAFPID-342815", "CSAFPID-271904", "CSAFPID-1674670", "CSAFPID-503474", "CSAFPID-226018", "CSAFPID-45194", ], }, ], title: "CVE-2024-38999", }, { cve: "CVE-2024-40898", cwe: { id: "CWE-918", name: "Server-Side Request Forgery (SSRF)", }, notes: [ { category: "other", text: "Server-Side Request Forgery (SSRF)", title: "CWE-918", }, ], product_status: { known_affected: [ "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-40898", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-40898.json", }, ], scores: [ { cvss_v3: { baseScore: 9.1, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "CSAFPID-40303", ], }, ], title: "CVE-2024-40898", }, { cve: "CVE-2024-45490", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, notes: [ { category: "other", text: "Integer Overflow or Wraparound", title: "CWE-190", }, { category: "other", text: "Incorrect Calculation of Buffer Size", title: "CWE-131", }, { category: "other", text: "Improper Restriction of XML External Entity Reference", title: "CWE-611", }, ], product_status: { known_affected: [ "CSAFPID-912053", "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-45490", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45490.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-912053", "CSAFPID-40303", ], }, ], title: "CVE-2024-45490", }, { cve: "CVE-2024-45491", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, notes: [ { category: "other", text: "Integer Overflow or Wraparound", title: "CWE-190", }, ], product_status: { known_affected: [ "CSAFPID-912053", "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-45491", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45491.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-912053", "CSAFPID-40303", ], }, ], title: "CVE-2024-45491", }, { cve: "CVE-2024-45492", cwe: { id: "CWE-190", name: "Integer Overflow or Wraparound", }, notes: [ { category: "other", text: "Integer Overflow or Wraparound", title: "CWE-190", }, ], product_status: { known_affected: [ "CSAFPID-912053", "CSAFPID-332789", "CSAFPID-342815", "CSAFPID-271904", "CSAFPID-1674670", "CSAFPID-503474", "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2024-45492", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-45492.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-912053", "CSAFPID-332789", "CSAFPID-342815", "CSAFPID-271904", "CSAFPID-1674670", "CSAFPID-503474", "CSAFPID-40303", ], }, ], title: "CVE-2024-45492", }, { cve: "CVE-2024-47072", cwe: { id: "CWE-121", name: "Stack-based Buffer Overflow", }, notes: [ { category: "other", text: "Stack-based Buffer Overflow", title: "CWE-121", }, { category: "other", text: "Deserialization of Untrusted Data", title: "CWE-502", }, ], product_status: { known_affected: [ "CSAFPID-228157", ], }, references: [ { category: "self", summary: "CVE-2024-47072", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-47072.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-228157", ], }, ], title: "CVE-2024-47072", }, { cve: "CVE-2024-47554", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, notes: [ { category: "other", text: "Uncontrolled Resource Consumption", title: "CWE-400", }, ], product_status: { known_affected: [ "CSAFPID-1751293", "CSAFPID-45194", "CSAFPID-1973", "CSAFPID-3660", ], }, references: [ { category: "self", summary: "CVE-2024-47554", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-47554.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-1751293", "CSAFPID-45194", "CSAFPID-1973", "CSAFPID-3660", ], }, ], title: "CVE-2024-47554", }, { cve: "CVE-2024-47561", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, notes: [ { category: "other", text: "Deserialization of Untrusted Data", title: "CWE-502", }, ], product_status: { known_affected: [ "CSAFPID-9642", ], }, references: [ { category: "self", summary: "CVE-2024-47561", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-47561.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-9642", ], }, ], title: "CVE-2024-47561", }, { cve: "CVE-2025-21498", product_status: { known_affected: [ "CSAFPID-40303", ], }, references: [ { category: "self", summary: "CVE-2025-21498", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-21498.json", }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, products: [ "CSAFPID-40303", ], }, ], title: "CVE-2025-21498", }, { cve: "CVE-2025-21535", product_status: { known_affected: [ "CSAFPID-3660", "CSAFPID-1973", ], }, references: [ { category: "self", summary: "CVE-2025-21535", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-21535.json", }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "CSAFPID-3660", "CSAFPID-1973", ], }, ], title: "CVE-2025-21535", }, { cve: "CVE-2025-21549", product_status: { known_affected: [ "CSAFPID-1973", ], }, references: [ { category: "self", summary: "CVE-2025-21549", url: "https://api.ncsc.nl/velma/v1/vulnerabilities/2025/CVE-2025-21549.json", }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "CSAFPID-1973", ], }, ], title: "CVE-2025-21549", }, ], }
opensuse-su-2024:14480-1
Vulnerability from csaf_opensuse
Published
2024-11-08 00:00
Modified
2024-11-08 00:00
Summary
xstream-1.4.21-1.1 on GA media
Notes
Title of the patch
xstream-1.4.21-1.1 on GA media
Description of the patch
These are all security issues fixed in the xstream-1.4.21-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14480
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "xstream-1.4.21-1.1 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the xstream-1.4.21-1.1 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-14480", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14480-1.json", }, { category: "self", summary: "SUSE CVE CVE-2024-47072 page", url: "https://www.suse.com/security/cve/CVE-2024-47072/", }, ], title: "xstream-1.4.21-1.1 on GA media", tracking: { current_release_date: "2024-11-08T00:00:00Z", generator: { date: "2024-11-08T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:14480-1", initial_release_date: "2024-11-08T00:00:00Z", revision_history: [ { date: "2024-11-08T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "xstream-1.4.21-1.1.aarch64", product: { name: "xstream-1.4.21-1.1.aarch64", product_id: "xstream-1.4.21-1.1.aarch64", }, }, { category: "product_version", name: "xstream-benchmark-1.4.21-1.1.aarch64", product: { name: "xstream-benchmark-1.4.21-1.1.aarch64", product_id: "xstream-benchmark-1.4.21-1.1.aarch64", }, }, { category: "product_version", name: "xstream-javadoc-1.4.21-1.1.aarch64", product: { name: "xstream-javadoc-1.4.21-1.1.aarch64", product_id: "xstream-javadoc-1.4.21-1.1.aarch64", }, }, { category: "product_version", name: "xstream-parent-1.4.21-1.1.aarch64", product: { name: "xstream-parent-1.4.21-1.1.aarch64", product_id: "xstream-parent-1.4.21-1.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "xstream-1.4.21-1.1.ppc64le", product: { name: "xstream-1.4.21-1.1.ppc64le", product_id: "xstream-1.4.21-1.1.ppc64le", }, }, { category: "product_version", name: "xstream-benchmark-1.4.21-1.1.ppc64le", product: { name: "xstream-benchmark-1.4.21-1.1.ppc64le", product_id: "xstream-benchmark-1.4.21-1.1.ppc64le", }, }, { category: "product_version", name: "xstream-javadoc-1.4.21-1.1.ppc64le", product: { name: "xstream-javadoc-1.4.21-1.1.ppc64le", product_id: "xstream-javadoc-1.4.21-1.1.ppc64le", }, }, { category: "product_version", name: "xstream-parent-1.4.21-1.1.ppc64le", product: { name: "xstream-parent-1.4.21-1.1.ppc64le", product_id: "xstream-parent-1.4.21-1.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "xstream-1.4.21-1.1.s390x", product: { name: "xstream-1.4.21-1.1.s390x", product_id: "xstream-1.4.21-1.1.s390x", }, }, { category: "product_version", name: "xstream-benchmark-1.4.21-1.1.s390x", product: { name: "xstream-benchmark-1.4.21-1.1.s390x", product_id: "xstream-benchmark-1.4.21-1.1.s390x", }, }, { category: "product_version", name: "xstream-javadoc-1.4.21-1.1.s390x", product: { name: "xstream-javadoc-1.4.21-1.1.s390x", product_id: "xstream-javadoc-1.4.21-1.1.s390x", }, }, { category: "product_version", name: "xstream-parent-1.4.21-1.1.s390x", product: { name: "xstream-parent-1.4.21-1.1.s390x", product_id: "xstream-parent-1.4.21-1.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "xstream-1.4.21-1.1.x86_64", product: { name: "xstream-1.4.21-1.1.x86_64", product_id: "xstream-1.4.21-1.1.x86_64", }, }, { category: "product_version", name: "xstream-benchmark-1.4.21-1.1.x86_64", product: { name: "xstream-benchmark-1.4.21-1.1.x86_64", product_id: "xstream-benchmark-1.4.21-1.1.x86_64", }, }, { category: "product_version", name: "xstream-javadoc-1.4.21-1.1.x86_64", product: { name: "xstream-javadoc-1.4.21-1.1.x86_64", product_id: "xstream-javadoc-1.4.21-1.1.x86_64", }, }, { category: "product_version", name: "xstream-parent-1.4.21-1.1.x86_64", product: { name: "xstream-parent-1.4.21-1.1.x86_64", product_id: "xstream-parent-1.4.21-1.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-1.4.21-1.1.aarch64", }, product_reference: "xstream-1.4.21-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-1.4.21-1.1.ppc64le", }, product_reference: "xstream-1.4.21-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-1.4.21-1.1.s390x", }, product_reference: "xstream-1.4.21-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-1.4.21-1.1.x86_64", }, product_reference: "xstream-1.4.21-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.21-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.aarch64", }, product_reference: "xstream-benchmark-1.4.21-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.21-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.ppc64le", }, product_reference: "xstream-benchmark-1.4.21-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.21-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.s390x", }, product_reference: "xstream-benchmark-1.4.21-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.21-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.x86_64", }, product_reference: "xstream-benchmark-1.4.21-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.21-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.aarch64", }, product_reference: "xstream-javadoc-1.4.21-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.21-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.ppc64le", }, product_reference: "xstream-javadoc-1.4.21-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.21-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.s390x", }, product_reference: "xstream-javadoc-1.4.21-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.21-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.x86_64", }, product_reference: "xstream-javadoc-1.4.21-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.21-1.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.aarch64", }, product_reference: "xstream-parent-1.4.21-1.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.21-1.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.ppc64le", }, product_reference: "xstream-parent-1.4.21-1.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.21-1.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.s390x", }, product_reference: "xstream-parent-1.4.21-1.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.21-1.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.x86_64", }, product_reference: "xstream-parent-1.4.21-1.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2024-47072", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-47072", }, ], notes: [ { category: "general", text: "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:xstream-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-47072", url: "https://www.suse.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "SUSE Bug 1233085 for CVE-2024-47072", url: "https://bugzilla.suse.com/1233085", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:xstream-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "openSUSE Tumbleweed:xstream-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-benchmark-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-javadoc-1.4.21-1.1.x86_64", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.aarch64", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.ppc64le", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.s390x", "openSUSE Tumbleweed:xstream-parent-1.4.21-1.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-11-08T00:00:00Z", details: "important", }, ], title: "CVE-2024-47072", }, ], }
ghsa-hfq9-hggm-c56q
Vulnerability from github
Published
2024-11-07 21:51
Modified
2024-11-08 13:55
Severity ?
Summary
XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream
Details
Impact
The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.
Patches
XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.
Workarounds
The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.
References
See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for CVE-2024-47072.
Credits
Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.
{ affected: [ { package: { ecosystem: "Maven", name: "com.thoughtworks.xstream:xstream", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.4.21", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2024-47072", ], database_specific: { cwe_ids: [ "CWE-121", "CWE-502", ], github_reviewed: true, github_reviewed_at: "2024-11-07T21:51:17Z", nvd_published_at: "2024-11-08T00:15:14Z", severity: "HIGH", }, details: "### Impact\nThe vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver.\n\n### Patches\nXStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead.\n\n### Workarounds\nThe only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.\n\n### References\nSee full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html).\n\n### Credits\nAlexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.", id: "GHSA-hfq9-hggm-c56q", modified: "2024-11-08T13:55:23Z", published: "2024-11-07T21:51:17Z", references: [ { type: "WEB", url: "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47072", }, { type: "WEB", url: "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266", }, { type: "WEB", url: "https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a", }, { type: "PACKAGE", url: "https://github.com/x-stream/xstream", }, { type: "WEB", url: "https://x-stream.github.io/CVE-2024-47072.html", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, { score: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", type: "CVSS_V4", }, ], summary: "XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream", }
suse-su-2024:4037-1
Vulnerability from csaf_suse
Published
2024-11-19 08:48
Modified
2024-11-19 08:48
Summary
Security update for bea-stax, xstream
Notes
Title of the patch
Security update for bea-stax, xstream
Description of the patch
This update for bea-stax, xstream fixes the following issues:
- CVE-2024-47072: Fixed possible remote denial-of-service via a stack overflow (bsc#1233085).
Patchnames
SUSE-2024-4037,SUSE-SLE-Module-Basesystem-15-SP5-2024-4037,SUSE-SLE-Module-Basesystem-15-SP6-2024-4037,SUSE-SLE-Module-Development-Tools-15-SP5-2024-4037,SUSE-SLE-Module-Development-Tools-15-SP6-2024-4037,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-4037,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4037,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4037,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4037,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4037,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-4037,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-4037,SUSE-Storage-7.1-2024-4037,openSUSE-SLE-15.5-2024-4037,openSUSE-SLE-15.6-2024-4037
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for bea-stax, xstream", title: "Title of the patch", }, { category: "description", text: "This update for bea-stax, xstream fixes the following issues:\n\n- CVE-2024-47072: Fixed possible remote denial-of-service via a stack overflow (bsc#1233085).\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2024-4037,SUSE-SLE-Module-Basesystem-15-SP5-2024-4037,SUSE-SLE-Module-Basesystem-15-SP6-2024-4037,SUSE-SLE-Module-Development-Tools-15-SP5-2024-4037,SUSE-SLE-Module-Development-Tools-15-SP6-2024-4037,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-4037,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-4037,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-4037,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-4037,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-4037,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-4037,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-4037,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-4037,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-4037,SUSE-Storage-7.1-2024-4037,openSUSE-SLE-15.5-2024-4037,openSUSE-SLE-15.6-2024-4037", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_4037-1.json", }, { category: "self", summary: "URL for SUSE-SU-2024:4037-1", url: "https://www.suse.com/support/update/announcement/2024/suse-su-20244037-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2024:4037-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019839.html", }, { category: "self", summary: "SUSE Bug 1233085", url: "https://bugzilla.suse.com/1233085", }, { category: "self", summary: "SUSE CVE CVE-2024-47072 page", url: "https://www.suse.com/security/cve/CVE-2024-47072/", }, ], title: "Security update for bea-stax, xstream", tracking: { current_release_date: "2024-11-19T08:48:56Z", generator: { date: "2024-11-19T08:48:56Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2024:4037-1", initial_release_date: "2024-11-19T08:48:56Z", revision_history: [ { date: "2024-11-19T08:48:56Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "bea-stax-1.2.0-150200.11.3.1.noarch", product: { name: "bea-stax-1.2.0-150200.11.3.1.noarch", product_id: "bea-stax-1.2.0-150200.11.3.1.noarch", }, }, { category: "product_version", name: "bea-stax-api-1.2.0-150200.11.3.1.noarch", product: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch", product_id: "bea-stax-api-1.2.0-150200.11.3.1.noarch", }, }, { category: "product_version", name: "bea-stax-javadoc-1.2.0-150200.11.3.1.noarch", product: { name: "bea-stax-javadoc-1.2.0-150200.11.3.1.noarch", product_id: "bea-stax-javadoc-1.2.0-150200.11.3.1.noarch", }, }, { category: "product_version", name: "xstream-1.4.21-150200.3.28.1.noarch", product: { name: "xstream-1.4.21-150200.3.28.1.noarch", product_id: "xstream-1.4.21-150200.3.28.1.noarch", }, }, { category: "product_version", name: "xstream-benchmark-1.4.21-150200.3.28.1.noarch", product: { name: "xstream-benchmark-1.4.21-150200.3.28.1.noarch", product_id: "xstream-benchmark-1.4.21-150200.3.28.1.noarch", }, }, { category: "product_version", name: "xstream-javadoc-1.4.21-150200.3.28.1.noarch", product: { name: "xstream-javadoc-1.4.21-150200.3.28.1.noarch", product_id: "xstream-javadoc-1.4.21-150200.3.28.1.noarch", }, }, { category: "product_version", name: "xstream-parent-1.4.21-150200.3.28.1.noarch", product: { name: "xstream-parent-1.4.21-150200.3.28.1.noarch", product_id: "xstream-parent-1.4.21-150200.3.28.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Basesystem 15 SP5", product: { name: "SUSE Linux Enterprise Module for Basesystem 15 SP5", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-basesystem:15:sp5", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Basesystem 15 SP6", product: { name: "SUSE Linux Enterprise Module for Basesystem 15 SP6", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP6", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-basesystem:15:sp6", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Development Tools 15 SP5", product: { name: "SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-development-tools:15:sp5", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Development Tools 15 SP6", product: { name: "SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-development-tools:15:sp6", }, }, }, { category: "product_name", name: "SUSE Manager Server Module 4.3", product: { name: "SUSE Manager Server Module 4.3", product_id: "SUSE Manager Server Module 4.3", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-suse-manager-server:4.3", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", product: { name: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", product_identification_helper: { cpe: "cpe:/o:suse:sle_hpc-ltss:15:sp2", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", product: { name: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", product_identification_helper: { cpe: "cpe:/o:suse:sle_hpc-ltss:15:sp3", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", product: { name: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", product_identification_helper: { cpe: "cpe:/o:suse:sle_hpc-espos:15:sp4", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", product: { name: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", product_identification_helper: { cpe: "cpe:/o:suse:sle_hpc-ltss:15:sp4", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Server 15 SP2-LTSS", product: { name: "SUSE Linux Enterprise Server 15 SP2-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP2-LTSS", product_identification_helper: { cpe: "cpe:/o:suse:sles-ltss:15:sp2", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Server 15 SP3-LTSS", product: { name: "SUSE Linux Enterprise Server 15 SP3-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS", product_identification_helper: { cpe: "cpe:/o:suse:sles-ltss:15:sp3", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Server 15 SP4-LTSS", product: { name: "SUSE Linux Enterprise Server 15 SP4-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP4-LTSS", product_identification_helper: { cpe: "cpe:/o:suse:sles-ltss:15:sp4", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Server for SAP Applications 15 SP2", product: { name: "SUSE Linux Enterprise Server for SAP Applications 15 SP2", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP2", product_identification_helper: { cpe: "cpe:/o:suse:sles_sap:15:sp2", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Server for SAP Applications 15 SP3", product: { name: "SUSE Linux Enterprise Server for SAP Applications 15 SP3", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP3", product_identification_helper: { cpe: "cpe:/o:suse:sles_sap:15:sp3", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Server for SAP Applications 15 SP4", product: { name: "SUSE Linux Enterprise Server for SAP Applications 15 SP4", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP4", product_identification_helper: { cpe: "cpe:/o:suse:sles_sap:15:sp4", }, }, }, { category: "product_name", name: "SUSE Manager Proxy 4.3", product: { name: "SUSE Manager Proxy 4.3", product_id: "SUSE Manager Proxy 4.3", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-proxy:4.3", }, }, }, { category: "product_name", name: "SUSE Manager Server 4.3", product: { name: "SUSE Manager Server 4.3", product_id: "SUSE Manager Server 4.3", product_identification_helper: { cpe: "cpe:/o:suse:suse-manager-server:4.3", }, }, }, { category: "product_name", name: "SUSE Enterprise Storage 7.1", product: { name: "SUSE Enterprise Storage 7.1", product_id: "SUSE Enterprise Storage 7.1", product_identification_helper: { cpe: "cpe:/o:suse:ses:7.1", }, }, }, { category: "product_name", name: "openSUSE Leap 15.5", product: { name: "openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.5", }, }, }, { category: "product_name", name: "openSUSE Leap 15.6", product: { name: "openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.6", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP5", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP5", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP5", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP6", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP6", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP6", product_id: "SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Basesystem 15 SP6", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP5", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP6", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Manager Server Module 4.3", product_id: "SUSE Manager Server Module 4.3:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Manager Server Module 4.3", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", product_id: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP2-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP2-LTSS", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP2-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP3-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP3-LTSS", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP3-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP4-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP4-LTSS", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS", product_id: "SUSE Linux Enterprise Server 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP4-LTSS", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP2", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP2", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP2:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP2", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP3", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP3", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP3:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP3", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP4", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP4", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4", product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP4:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP4", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Manager Proxy 4.3", product_id: "SUSE Manager Proxy 4.3:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Manager Proxy 4.3", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Manager Proxy 4.3", product_id: "SUSE Manager Proxy 4.3:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Manager Proxy 4.3", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Manager Server 4.3", product_id: "SUSE Manager Server 4.3:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Manager Server 4.3", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Manager Server 4.3", product_id: "SUSE Manager Server 4.3:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Manager Server 4.3", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of SUSE Enterprise Storage 7.1", product_id: "SUSE Enterprise Storage 7.1:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Enterprise Storage 7.1", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of SUSE Enterprise Storage 7.1", product_id: "SUSE Enterprise Storage 7.1:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "SUSE Enterprise Storage 7.1", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of SUSE Enterprise Storage 7.1", product_id: "SUSE Enterprise Storage 7.1:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Enterprise Storage 7.1", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.21-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:xstream-benchmark-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-benchmark-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.21-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:xstream-javadoc-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-javadoc-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.21-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:xstream-parent-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-parent-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "bea-stax-1.2.0-150200.11.3.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:bea-stax-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "bea-stax-api-1.2.0-150200.11.3.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:bea-stax-api-1.2.0-150200.11.3.1.noarch", }, product_reference: "bea-stax-api-1.2.0-150200.11.3.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "xstream-1.4.21-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:xstream-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "xstream-benchmark-1.4.21-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:xstream-benchmark-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-benchmark-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "xstream-javadoc-1.4.21-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:xstream-javadoc-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-javadoc-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "xstream-parent-1.4.21-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:xstream-parent-1.4.21-150200.3.28.1.noarch", }, product_reference: "xstream-parent-1.4.21-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, ], }, vulnerabilities: [ { cve: "CVE-2024-47072", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-47072", }, ], notes: [ { category: "general", text: "XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Enterprise Storage 7.1:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Enterprise Storage 7.1:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Enterprise Storage 7.1:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Manager Proxy 4.3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Manager Proxy 4.3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server 4.3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server 4.3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server Module 4.3:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:bea-stax-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.5:bea-stax-api-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.5:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-benchmark-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-javadoc-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-parent-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:bea-stax-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.6:bea-stax-api-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.6:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-benchmark-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-javadoc-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-parent-1.4.21-150200.3.28.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2024-47072", url: "https://www.suse.com/security/cve/CVE-2024-47072", }, { category: "external", summary: "SUSE Bug 1233085 for CVE-2024-47072", url: "https://bugzilla.suse.com/1233085", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Enterprise Storage 7.1:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Enterprise Storage 7.1:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Enterprise Storage 7.1:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Manager Proxy 4.3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Manager Proxy 4.3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server 4.3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server 4.3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server Module 4.3:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:bea-stax-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.5:bea-stax-api-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.5:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-benchmark-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-javadoc-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-parent-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:bea-stax-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.6:bea-stax-api-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.6:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-benchmark-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-javadoc-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-parent-1.4.21-150200.3.28.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Enterprise Storage 7.1:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Enterprise Storage 7.1:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Enterprise Storage 7.1:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP5:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Basesystem 15 SP6:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP2-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP3-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server 15 SP4-LTSS:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP2:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP3:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Linux Enterprise Server for SAP Applications 15 SP4:xstream-1.4.21-150200.3.28.1.noarch", "SUSE Manager Proxy 4.3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Manager Proxy 4.3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server 4.3:bea-stax-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server 4.3:bea-stax-api-1.2.0-150200.11.3.1.noarch", "SUSE Manager Server Module 4.3:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:bea-stax-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.5:bea-stax-api-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.5:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-benchmark-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-javadoc-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.5:xstream-parent-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:bea-stax-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.6:bea-stax-api-1.2.0-150200.11.3.1.noarch", "openSUSE Leap 15.6:xstream-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-benchmark-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-javadoc-1.4.21-150200.3.28.1.noarch", "openSUSE Leap 15.6:xstream-parent-1.4.21-150200.3.28.1.noarch", ], }, ], threats: [ { category: "impact", date: "2024-11-19T08:48:56Z", details: "important", }, ], title: "CVE-2024-47072", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.