{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\nA Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:7735",
        "url": "https://access.redhat.com/errata/RHSA-2024:7735"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index"
      },
      {
        "category": "external",
        "summary": "2305290",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7735.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update",
    "tracking": {
      "current_release_date": "2024-11-15T21:17:11+00:00",
      "generator": {
        "date": "2024-11-15T21:17:11+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2024:7735",
      "initial_release_date": "2024-10-07T12:18:17+00:00",
      "revision_history": [
        {
          "date": "2024-10-07T12:18:17+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-10-07T12:18:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T21:17:11+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 7",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 7",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "BfC"
          ]
        }
      ],
      "cve": "CVE-2024-7885",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2024-08-16T09:00:41.686000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2305290"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "RHBZ#2305290",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7885",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885"
        }
      ],
      "release_date": "2024-08-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-07T12:18:17+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:7735"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 8.0.\n\nSecurity Fix(es):\n\n* software.amazon.ion/ion-java: ion-java: Ion Java StackOverflow vulnerability (CVE-2024-21634)\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:7442",
        "url": "https://access.redhat.com/errata/RHSA-2024:7442"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2304311",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304311"
      },
      {
        "category": "external",
        "summary": "2305290",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
      },
      {
        "category": "external",
        "summary": "JBEAP-27711",
        "url": "https://issues.redhat.com/browse/JBEAP-27711"
      },
      {
        "category": "external",
        "summary": "JBEAP-27754",
        "url": "https://issues.redhat.com/browse/JBEAP-27754"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7442.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0 security update",
    "tracking": {
      "current_release_date": "2024-11-15T21:16:51+00:00",
      "generator": {
        "date": "2024-11-15T21:16:51+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2024:7442",
      "initial_release_date": "2024-10-01T07:54:26+00:00",
      "revision_history": [
        {
          "date": "2024-10-01T07:54:26+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-10-01T07:54:26+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T21:16:51+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 8",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 8",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "BfC"
          ]
        }
      ],
      "cve": "CVE-2024-7885",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2024-08-16T09:00:41.686000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2305290"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "RHBZ#2305290",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7885",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885"
        }
      ],
      "release_date": "2024-08-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-01T07:54:26+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:7442"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage"
    },
    {
      "cve": "CVE-2024-21634",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-08-13T12:39:28.068000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2304311"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Amazon Ion, an implementation of Ion data notation. Ion-java may be affected by denial of service (DoS) due to issues while deserializing encoded data into IonValue. A maliciously crafted Ion data structure may be processed and cause a StackOverflowError, leaving the application in an unreliable state.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ion-java: ion-java: Ion Java StackOverflow vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-21634"
        },
        {
          "category": "external",
          "summary": "RHBZ#2304311",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304311"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21634",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-21634"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21634",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21634"
        },
        {
          "category": "external",
          "summary": "https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6",
          "url": "https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6"
        }
      ],
      "release_date": "2024-01-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-01T07:54:26+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:7442"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ion-java: ion-java: Ion Java StackOverflow vulnerability"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat build of Apache Camel 3.20.7 for Spring Boot release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat build of Apache Camel 3.20.7 for Spring Boot release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* com.nimbusds/nimbus-jose-jwt: large JWE p2c header value causes Denial of Service (CVE-2023-52428)\n\n* undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket (CVE-2024-5971)\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\n* org.apache.cxf/cxf-rt-rs-service-description: SSRF via WADL stylesheet parameter (CVE-2024-29736)\n\n* ca.uhn.hapi.fhir/org.hl7.fhir.dstu2016may: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core` (CVE-2024-45294)\n\n* ca.uhn.hapi.fhir/org.hl7.fhir.dstu3: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core` (CVE-2024-45294)\n\n* ca.uhn.hapi.fhir/org.hl7.fhir.r4: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core` (CVE-2024-45294)\n\n* ca.uhn.hapi.fhir/org.hl7.fhir.r5: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core` (CVE-2024-45294)\n\n* ca.uhn.hapi.fhir/org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core` (CVE-2024-45294)\n\n* org.apache.cxf/cxf-rt-rs-security-jose: apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE (CVE-2024-32007)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:6883",
        "url": "https://access.redhat.com/errata/RHSA-2024:6883"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2292211",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211"
      },
      {
        "category": "external",
        "summary": "2298827",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298827"
      },
      {
        "category": "external",
        "summary": "2298828",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298828"
      },
      {
        "category": "external",
        "summary": "2305290",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
      },
      {
        "category": "external",
        "summary": "2309764",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
      },
      {
        "category": "external",
        "summary": "2310447",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310447"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_6883.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 3.20.7 for Spring Boot security update.",
    "tracking": {
      "current_release_date": "2024-11-15T21:16:22+00:00",
      "generator": {
        "date": "2024-11-15T21:16:22+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2024:6883",
      "initial_release_date": "2024-09-19T16:46:46+00:00",
      "revision_history": [
        {
          "date": "2024-09-19T16:46:46+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-09-19T16:46:46+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T21:16:22+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot",
                "product": {
                  "name": "Red Hat build of Apache Camel 3.20.7 for Spring Boot",
                  "product_id": "Red Hat build of Apache Camel 3.20.7 for Spring Boot",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:apache_camel_spring_boot:3.20.7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Build of Apache Camel"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-52428",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-09-04T17:02:58.468000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2309764"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in the Nimbus Jose JWT package. This issue could allow an attacker to use a malicious large JWE p2c header value for PasswordBasedDecrypter and cause a Denial of Service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "RHBZ#2309764",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2309764"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-52428",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428"
        }
      ],
      "release_date": "2024-02-11T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-19T16:46:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6883"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service"
    },
    {
      "cve": "CVE-2024-5971",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2024-06-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2292211"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\\r\\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The identified vulnerability in Undertow, where chunked responses fail to terminate properly under Java 17 with TLSv1.3, represents a significant security concern due to its potential for uncontrolled resource consumption and denial of service (DoS) attacks. This issue arises from Undertow\u0027s mishandling of chunked response termination after initial data flushing, leading to clients waiting indefinitely for completion signals that are not sent. Such behavior could be exploited by malicious actors to exhaust server resources, resulting in service degradation or unavailability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-5971"
        },
        {
          "category": "external",
          "summary": "RHBZ#2292211",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-5971",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-5971"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-5971",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5971"
        }
      ],
      "release_date": "2024-07-08T20:46:55+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-19T16:46:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6883"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "BfC"
          ]
        }
      ],
      "cve": "CVE-2024-7885",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2024-08-16T09:00:41.686000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2305290"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "RHBZ#2305290",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7885",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885"
        }
      ],
      "release_date": "2024-08-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-19T16:46:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6883"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage"
    },
    {
      "cve": "CVE-2024-29736",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2024-07-19T09:20:09+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2298827"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A Server-side request forgery (SSRF) vulnerability was found in Apache CXF in the WADL service description. The flaw allows an attacker to perform SSRF-style attacks on REST web services. The attack only applies if a custom stylesheet parameter is configured.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache: cxf: org.apache.cxf:cxf-rt-rs-service-description: SSRF via WADL stylesheet parameter",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This SSRF vulnerability in Apache CXF\u0027s WADL service description is of significant severity because it allows an attacker to manipulate server-side requests, potentially leading to unauthorized access to internal resources. By exploiting this flaw, an attacker can craft malicious requests that bypass traditional security controls, enabling the server to communicate with internal systems, which may include databases, cloud services, or other sensitive infrastructure.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-29736"
        },
        {
          "category": "external",
          "summary": "RHBZ#2298827",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298827"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-29736",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-29736"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29736",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29736"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-5m3j-pxh7-455p",
          "url": "https://github.com/advisories/GHSA-5m3j-pxh7-455p"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2",
          "url": "https://lists.apache.org/thread/4jtpsswn2r6xommol54p5mg263ysgdw2"
        },
        {
          "category": "external",
          "summary": "https://osv.dev/vulnerability/GHSA-5m3j-pxh7-455p",
          "url": "https://osv.dev/vulnerability/GHSA-5m3j-pxh7-455p"
        }
      ],
      "release_date": "2024-07-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-19T16:46:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6883"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "apache: cxf: org.apache.cxf:cxf-rt-rs-service-description: SSRF via WADL stylesheet parameter"
    },
    {
      "cve": "CVE-2024-32007",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-07-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2298828"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An improper input validation vulnerability was found in the p2c parameter in the Apache CXF JOSE. This flaw allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The improper input validation vulnerability in the p2c parameter of Apache CXF JOSE is considered a moderate severity issue rather than a important one due to its limited scope and impact. While the flaw allows an attacker to specify a large value for the p2c parameter, leading to potential denial of service (DoS) attacks by causing excessive computational overhead, it does not compromise data integrity, confidentiality, or authentication mechanisms directly. The attack vector primarily affects system availability and exploiting this vulnerability requires the ability to send crafted tokens.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-32007"
        },
        {
          "category": "external",
          "summary": "RHBZ#2298828",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298828"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-32007",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-32007"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-32007",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32007"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-6pff-fmh2-4mmf",
          "url": "https://github.com/advisories/GHSA-6pff-fmh2-4mmf"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633",
          "url": "https://lists.apache.org/thread/stwrgsr1llb73nkl16klv9vjqgmmx633"
        }
      ],
      "release_date": "2024-07-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-19T16:46:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6883"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "apache: cxf: org.apache.cxf:cxf-rt-rs-security-jose: Denial of Service vulnerability in JOSE"
    },
    {
      "cve": "CVE-2024-45294",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2024-09-06T16:20:11.403869+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2310447"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in HAPI FHIR - HL7 FHIR Core Artifacts. eXtensible Stylesheet Language Transformations (XSLT) transforms performed by various components are vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This issue impacts use cases where org.hl7.fhir.core is being used within a host where external clients can submit XML.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.hl7.fhir.core: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r4b: org.hl7.fhir.r5: org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is of significant severity because it allows for XML External Entity (XXE) injection, which can lead to unauthorized access and leakage of sensitive data from the host system. In environments where external clients are permitted to submit XML files, an attacker could craft a malicious XML containing a DTD (Document Type Definition) that references external entities. When processed, this could result in the unauthorized disclosure of files, environmental variables, or other confidential data from the server, potentially compromising the integrity and confidentiality of the system.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-45294"
        },
        {
          "category": "external",
          "summary": "RHBZ#2310447",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2310447"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-45294",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-45294"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-45294",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45294"
        },
        {
          "category": "external",
          "summary": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23",
          "url": "https://github.com/hapifhir/org.hl7.fhir.core/releases/tag/6.3.23"
        },
        {
          "category": "external",
          "summary": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf",
          "url": "https://github.com/hapifhir/org.hl7.fhir.core/security/advisories/GHSA-6cr6-ph3p-f5rf"
        }
      ],
      "release_date": "2024-09-06T16:15:03.300000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-19T16:46:46+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6883"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 3.20.7 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.hl7.fhir.core: org.hl7.fhir.dstu3: org.hl7.fhir.r4: org.hl7.fhir.r4b: org.hl7.fhir.r5: org.hl7.fhir.utilities: XXE vulnerability in XSLT transforms in `org.hl7.fhir.core`"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat build of Apache Camel 4.4.2 for Spring Boot release and security update is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat build of Apache Camel 4.4.2 for Spring Boot release and security update is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed.\n\nSecurity Fix(es):\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\n* org.springframework/spring-expression: From NVD collector (CVE-2024-38808)\n\n* org.apache.cxf/cxf-rt-transports-http: unrestricted memory consumption in CXF HTTP clients (CVE-2024-5971)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:6508",
        "url": "https://access.redhat.com/errata/RHSA-2024:6508"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2298829",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2298829"
      },
      {
        "category": "external",
        "summary": "2305290",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_6508.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4.2 for Spring Boot security update.",
    "tracking": {
      "current_release_date": "2024-11-15T21:16:03+00:00",
      "generator": {
        "date": "2024-11-15T21:16:03+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2024:6508",
      "initial_release_date": "2024-09-09T17:17:28+00:00",
      "revision_history": [
        {
          "date": "2024-09-09T17:17:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-09-09T17:17:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T21:16:03+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Apache Camel 4.4.2 for Spring Boot",
                "product": {
                  "name": "Red Hat build of Apache Camel 4.4.2 for Spring Boot",
                  "product_id": "Red Hat build of Apache Camel 4.4.2 for Spring Boot",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:apache_camel_spring_boot:4.4.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Build of Apache Camel"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-5971",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2024-06-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2292211"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\\r\\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The identified vulnerability in Undertow, where chunked responses fail to terminate properly under Java 17 with TLSv1.3, represents a significant security concern due to its potential for uncontrolled resource consumption and denial of service (DoS) attacks. This issue arises from Undertow\u0027s mishandling of chunked response termination after initial data flushing, leading to clients waiting indefinitely for completion signals that are not sent. Such behavior could be exploited by malicious actors to exhaust server resources, resulting in service degradation or unavailability.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-5971"
        },
        {
          "category": "external",
          "summary": "RHBZ#2292211",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2292211"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-5971",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-5971"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-5971",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5971"
        }
      ],
      "release_date": "2024-07-08T20:46:55+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-09T17:17:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6508"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: response write hangs in case of Java 17 TLSv1.3 NewSessionTicket"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "BfC"
          ]
        }
      ],
      "cve": "CVE-2024-7885",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2024-08-16T09:00:41.686000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2305290"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "RHBZ#2305290",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7885",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885"
        }
      ],
      "release_date": "2024-08-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-09T17:17:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6508"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage"
    },
    {
      "cve": "CVE-2024-38808",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-08-20T08:20:06.895124+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2305959"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Spring framework package. A maliciously crafted Spring Expression Language (SePL) may trigger uncontrolled CPU usage, leading to a denial of service in the application consuming it. To be considered vulnerable, one application has to evaluate user-supplied SpEL expressions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-expression: Denial of service when processing a specially crafted Spring Expression Language expression",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-38808"
        },
        {
          "category": "external",
          "summary": "RHBZ#2305959",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305959"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-38808",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-38808"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-38808",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38808"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2024-38808",
          "url": "https://spring.io/security/cve-2024-38808"
        }
      ],
      "release_date": "2024-08-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-09-09T17:17:28+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:6508"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Apache Camel 4.4.2 for Spring Boot"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "spring-expression: Denial of service when processing a specially crafted Spring Expression Language expression"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 7.4.\n\nSecurity Fix(es):\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\nA Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:7736",
        "url": "https://access.redhat.com/errata/RHSA-2024:7736"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index"
      },
      {
        "category": "external",
        "summary": "2305290",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7736.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 Security update",
    "tracking": {
      "current_release_date": "2024-11-15T21:16:59+00:00",
      "generator": {
        "date": "2024-11-15T21:16:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2024:7736",
      "initial_release_date": "2024-10-07T12:49:23+00:00",
      "revision_history": [
        {
          "date": "2024-10-07T12:49:23+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-10-07T12:49:23+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T21:16:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
                "product": {
                  "name": "Red Hat JBoss EAP 7.4 for RHEL 7 Server",
                  "product_id": "7Server-JBEAP-7.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 7.4 for RHEL 8",
                "product": {
                  "name": "Red Hat JBoss EAP 7.4 for RHEL 8",
                  "product_id": "8Base-JBEAP-7.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 7.4 for RHEL 9",
                "product": {
                  "name": "Red Hat JBoss EAP 7.4 for RHEL 9",
                  "product_id": "9Base-JBEAP-7.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src",
                "product": {
                  "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src",
                  "product_id": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-undertow@2.2.33-2.SP2_redhat_00001.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src",
                "product": {
                  "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src",
                  "product_id": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.18-1.GA_redhat_00003.1.el7eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src",
                "product": {
                  "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src",
                  "product_id": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-undertow@2.2.33-2.SP2_redhat_00001.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src",
                "product": {
                  "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src",
                  "product_id": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.18-1.GA_redhat_00003.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src",
                "product": {
                  "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src",
                  "product_id": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-undertow@2.2.33-2.SP2_redhat_00001.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src",
                "product": {
                  "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src",
                  "product_id": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.18-1.GA_redhat_00003.1.el9eap?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch",
                "product": {
                  "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch",
                  "product_id": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-undertow@2.2.33-2.SP2_redhat_00001.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.18-1.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.18-1.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.18-1.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.18-1.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                "product": {
                  "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_id": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.18-1.GA_redhat_00003.1.el7eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch",
                "product": {
                  "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch",
                  "product_id": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-undertow@2.2.33-2.SP2_redhat_00001.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.18-1.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.18-1.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk17@7.4.18-1.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.18-1.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.18-1.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                "product": {
                  "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_id": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.18-1.GA_redhat_00003.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch",
                "product": {
                  "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch",
                  "product_id": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-undertow@2.2.33-2.SP2_redhat_00001.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly@7.4.18-1.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk11@7.4.18-1.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk17@7.4.18-1.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-java-jdk8@7.4.18-1.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-javadocs@7.4.18-1.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                "product": {
                  "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_id": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap7-wildfly-modules@7.4.18-1.GA_redhat_00003.1.el9eap?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch"
        },
        "product_reference": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src"
        },
        "product_reference": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src"
        },
        "product_reference": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 7 Server",
          "product_id": "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch"
        },
        "product_reference": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
        "relates_to_product_reference": "7Server-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch"
        },
        "product_reference": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src"
        },
        "product_reference": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src"
        },
        "product_reference": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 8",
          "product_id": "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch"
        },
        "product_reference": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch"
        },
        "product_reference": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src"
        },
        "product_reference": "eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src"
        },
        "product_reference": "eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch as a component of Red Hat JBoss EAP 7.4 for RHEL 9",
          "product_id": "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
        },
        "product_reference": "eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-7.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "BfC"
          ]
        }
      ],
      "cve": "CVE-2024-7885",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2024-08-16T09:00:41.686000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2305290"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src",
          "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
          "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
          "8Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src",
          "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
          "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
          "9Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src",
          "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
          "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "RHBZ#2305290",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7885",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885"
        }
      ],
      "release_date": "2024-08-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-07T12:49:23+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "8Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "9Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:7736"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "7Server-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el7eap.src",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "7Server-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el7eap.noarch",
            "8Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el8eap.src",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "8Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el8eap.noarch",
            "9Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-undertow-0:2.2.33-2.SP2_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-0:7.4.18-1.GA_redhat_00003.1.el9eap.src",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk11-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk17-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-java-jdk8-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-javadocs-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch",
            "9Base-JBEAP-7.4:eap7-wildfly-modules-0:7.4.18-1.GA_redhat_00003.1.el9eap.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage"
    }
  ]
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 8 is a platform for Java applications based on the WildFly application runtime.\n\nThis asynchronous patch is a security update for Red Hat JBoss Enterprise Application Platform 8.0.\n\nSecurity Fix(es):\n\n* software.amazon.ion/ion-java: ion-java: Ion Java StackOverflow vulnerability (CVE-2024-21634)\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgements, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:7441",
        "url": "https://access.redhat.com/errata/RHSA-2024:7441"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/8.0/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/8.0/"
      },
      {
        "category": "external",
        "summary": "2304311",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304311"
      },
      {
        "category": "external",
        "summary": "2305290",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
      },
      {
        "category": "external",
        "summary": "JBEAP-27711",
        "url": "https://issues.redhat.com/browse/JBEAP-27711"
      },
      {
        "category": "external",
        "summary": "JBEAP-27754",
        "url": "https://issues.redhat.com/browse/JBEAP-27754"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7441.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 8.0 security update",
    "tracking": {
      "current_release_date": "2024-11-15T21:16:41+00:00",
      "generator": {
        "date": "2024-11-15T21:16:41+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2024:7441",
      "initial_release_date": "2024-10-01T08:03:25+00:00",
      "revision_history": [
        {
          "date": "2024-10-01T08:03:25+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-10-01T08:03:25+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T21:16:41+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 8.0 for RHEL 9",
                "product": {
                  "name": "Red Hat JBoss EAP 8.0 for RHEL 9",
                  "product_id": "9Base-JBEAP-8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat JBoss EAP 8.0 for RHEL 8",
                "product": {
                  "name": "Red Hat JBoss EAP 8.0 for RHEL 8",
                  "product_id": "8Base-JBEAP-8.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
                "product": {
                  "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
                  "product_id": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-amazon-ion-java@1.11.9-2.redhat_00001.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
                "product": {
                  "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
                  "product_id": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-undertow@2.3.14-2.SP2_redhat_00001.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
                "product": {
                  "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
                  "product_id": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly@8.0.3-13.GA_redhat_00007.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
                "product": {
                  "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
                  "product_id": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-eap-product-conf-parent@800.3.1-2.GA_redhat_00002.1.el9eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
                "product": {
                  "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
                  "product_id": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-amazon-ion-java@1.11.9-2.redhat_00001.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
                "product": {
                  "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
                  "product_id": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-undertow@2.3.14-2.SP2_redhat_00001.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
                "product": {
                  "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
                  "product_id": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly@8.0.3-13.GA_redhat_00007.1.el8eap?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
                "product": {
                  "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
                  "product_id": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-eap-product-conf-parent@800.3.1-2.GA_redhat_00002.1.el8eap?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
                "product": {
                  "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
                  "product_id": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-amazon-ion-java@1.11.9-2.redhat_00001.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
                "product": {
                  "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
                  "product_id": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-undertow@2.3.14-2.SP2_redhat_00001.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                "product": {
                  "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_id": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly@8.0.3-13.GA_redhat_00007.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                "product": {
                  "name": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_id": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly-java-jdk11@8.0.3-13.GA_redhat_00007.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                "product": {
                  "name": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_id": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly-java-jdk17@8.0.3-13.GA_redhat_00007.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                "product": {
                  "name": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_id": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly-java-jdk21@8.0.3-13.GA_redhat_00007.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                "product": {
                  "name": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_id": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly-modules@8.0.3-13.GA_redhat_00007.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
                "product": {
                  "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
                  "product_id": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-eap-product-conf-parent@800.3.1-2.GA_redhat_00002.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
                "product": {
                  "name": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
                  "product_id": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-eap-product-conf-wildfly-ee-feature-pack@800.3.1-2.GA_redhat_00002.1.el9eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
                "product": {
                  "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
                  "product_id": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-amazon-ion-java@1.11.9-2.redhat_00001.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
                "product": {
                  "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
                  "product_id": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-undertow@2.3.14-2.SP2_redhat_00001.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                "product": {
                  "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_id": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly@8.0.3-13.GA_redhat_00007.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                "product": {
                  "name": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_id": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly-java-jdk11@8.0.3-13.GA_redhat_00007.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                "product": {
                  "name": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_id": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly-java-jdk17@8.0.3-13.GA_redhat_00007.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                "product": {
                  "name": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_id": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly-java-jdk21@8.0.3-13.GA_redhat_00007.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                "product": {
                  "name": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_id": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-wildfly-modules@8.0.3-13.GA_redhat_00007.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
                "product": {
                  "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
                  "product_id": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-eap-product-conf-parent@800.3.1-2.GA_redhat_00002.1.el8eap?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
                "product": {
                  "name": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
                  "product_id": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/eap8-eap-product-conf-wildfly-ee-feature-pack@800.3.1-2.GA_redhat_00002.1.el8eap?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch"
        },
        "product_reference": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src"
        },
        "product_reference": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch"
        },
        "product_reference": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src"
        },
        "product_reference": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch"
        },
        "product_reference": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch"
        },
        "product_reference": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src"
        },
        "product_reference": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch"
        },
        "product_reference": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src"
        },
        "product_reference": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch"
        },
        "product_reference": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch"
        },
        "product_reference": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch"
        },
        "product_reference": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 8",
          "product_id": "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch"
        },
        "product_reference": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
        "relates_to_product_reference": "8Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch"
        },
        "product_reference": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src"
        },
        "product_reference": "eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch"
        },
        "product_reference": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src"
        },
        "product_reference": "eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch"
        },
        "product_reference": "eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch"
        },
        "product_reference": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src"
        },
        "product_reference": "eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
        },
        "product_reference": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src"
        },
        "product_reference": "eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
        },
        "product_reference": "eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
        },
        "product_reference": "eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
        },
        "product_reference": "eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch as a component of Red Hat JBoss EAP 8.0 for RHEL 9",
          "product_id": "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
        },
        "product_reference": "eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
        "relates_to_product_reference": "9Base-JBEAP-8.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "BfC"
          ]
        }
      ],
      "cve": "CVE-2024-7885",
      "cwe": {
        "id": "CWE-362",
        "name": "Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)"
      },
      "discovery_date": "2024-08-16T09:00:41.686000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2305290"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
          "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
          "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
          "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
          "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
          "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
          "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
          "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
          "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "RHBZ#2305290",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7885",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7885"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885"
        }
      ],
      "release_date": "2024-08-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-01T08:03:25+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:7441"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: Improper State Management in Proxy Protocol parsing causes information leakage"
    },
    {
      "cve": "CVE-2024-21634",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-08-13T12:39:28.068000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2304311"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Amazon Ion, an implementation of Ion data notation. Ion-java may be affected by denial of service (DoS) due to issues while deserializing encoded data into IonValue. A maliciously crafted Ion data structure may be processed and cause a StackOverflowError, leaving the application in an unreliable state.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ion-java: ion-java: Ion Java StackOverflow vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
          "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
          "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
          "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
          "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
          "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
          "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
          "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
          "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
          "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
          "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-21634"
        },
        {
          "category": "external",
          "summary": "RHBZ#2304311",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304311"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21634",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-21634"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21634",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21634"
        },
        {
          "category": "external",
          "summary": "https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6",
          "url": "https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6"
        }
      ],
      "release_date": "2024-01-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-10-01T08:03:25+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:7441"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el8eap.src",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "8Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el8eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-amazon-ion-java-0:1.11.9-2.redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-parent-0:800.3.1-2.GA_redhat_00002.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-eap-product-conf-wildfly-ee-feature-pack-0:800.3.1-2.GA_redhat_00002.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-undertow-0:2.3.14-2.SP2_redhat_00001.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-0:8.0.3-13.GA_redhat_00007.1.el9eap.src",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk11-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk17-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-java-jdk21-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch",
            "9Base-JBEAP-8.0:eap8-wildfly-modules-0:8.0.3-13.GA_redhat_00007.1.el9eap.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "ion-java: ion-java: Ion Java StackOverflow vulnerability"
    }
  ]
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.36.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.undertow:undertow-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0.Alpha1"
            },
            {
              "fixed": "2.3.17.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-7885"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-21T20:08:37Z",
    "nvd_published_at": "2024-08-21T14:15:09Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.",
  "id": "GHSA-9623-mqmm-5rcf",
  "modified": "2024-10-16T14:07:33Z",
  "published": "2024-08-21T15:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7885"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/commit/80c125e09068ac52ed0a9acde266ef12f8ed7ae1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/commit/ce5182c37376982ef0abee34fce0d8c0aab0fab8"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6508"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:6883"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:7441"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:7442"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:7735"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:7736"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2024-7885"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305290"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/undertow-io/undertow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/undertow-io/undertow/blob/182e4ca1543c52f438b0244c930dca3d8b6e68e3/core/src/main/java/io/undertow/server/protocol/proxy/ProxyProtocolReadListener.java"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Undertow vulnerable to Race Condition"
}