Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-8184 (GCVE-0-2024-8184)
Vulnerability from cvelistv5
Published
2024-10-14 15:09
Modified
2024-10-15 17:42
Severity ?
EPSS score ?
Summary
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Eclipse Foundation | Jetty |
Version: 9.3.12 ≤ 9.4.55 Version: 10.0.0 ≤ 10.0.23 Version: 11.0.0 ≤ 11.0.23 Version: 12.0.0 ≤ 12.0.8 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-8184", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-15T17:41:50.744158Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-15T17:42:01.168Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://repo.maven.apache.org/maven2/", defaultStatus: "unaffected", modules: [ "jetty-server", ], packageName: "org.eclipse.jetty:jetty-server", product: "Jetty", repo: "https://github.com/jetty/jetty.project", vendor: "Eclipse Foundation", versions: [ { lessThanOrEqual: "9.4.55", status: "affected", version: "9.3.12", versionType: "semver", }, { lessThanOrEqual: "10.0.23", status: "affected", version: "10.0.0", versionType: "semver", }, { lessThanOrEqual: "11.0.23", status: "affected", version: "11.0.0", versionType: "semver", }, { lessThanOrEqual: "12.0.8", status: "affected", version: "12.0.0", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "https://github.com/HRsGIT", }, ], datePublic: "2024-10-14T03:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "There exists a security vulnerability in Jetty's <code>ThreadLimitHandler.getRemote()</code> which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.<br>", }, ], value: "There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-10-14T15:30:02.698Z", orgId: "e51fbebd-6053-4e49-959f-1b94eeb69a2c", shortName: "eclipse", }, references: [ { url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, { url: "https://github.com/jetty/jetty.project/pull/11723", }, ], source: { discovery: "UNKNOWN", }, title: "Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", workarounds: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Do not use <code>ThreadLimitHandler</code>.<br>\nConsider use of <code>QoSHandler</code> instead to artificially limit resource utilization.<br>", }, ], value: "Do not use ThreadLimitHandler.\n\nConsider use of QoSHandler instead to artificially limit resource utilization.", }, ], x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e51fbebd-6053-4e49-959f-1b94eeb69a2c", assignerShortName: "eclipse", cveId: "CVE-2024-8184", datePublished: "2024-10-14T15:09:37.861Z", dateReserved: "2024-08-26T15:58:44.006Z", dateUpdated: "2024-10-15T17:42:01.168Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.3.12\", \"versionEndExcluding\": \"9.4.56\", \"matchCriteriaId\": \"38EE28A7-83A2-4D16-A1D7-197C1680C234\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"10.0.0\", \"versionEndExcluding\": \"10.0.24\", \"matchCriteriaId\": \"40B124FE-E76C-4612-8781-42CF3182E264\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"11.0.0\", \"versionEndExcluding\": \"11.0.24\", \"matchCriteriaId\": \"43B96569-B73B-4765-994F-809E5AE1A3CE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"12.0.0\", \"versionEndExcluding\": \"12.0.9\", \"matchCriteriaId\": \"CDCB79ED-6D2F-4A37-BB89-41EABF18EAC1\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de seguridad en ThreadLimitHandler.getRemote() de Jetty que puede ser explotada por usuarios no autorizados para provocar un ataque de denegaci\\u00f3n de servicio (DoS) remoto. Al enviar repetidamente solicitudes manipuladas, los atacantes pueden generar errores OutofMemory y agotar la memoria del servidor.\"}]", id: "CVE-2024-8184", lastModified: "2024-11-08T21:00:09.857", metrics: "{\"cvssMetricV31\": [{\"source\": \"emo@eclipse.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}", published: "2024-10-14T16:15:04.380", references: "[{\"url\": \"https://github.com/jetty/jetty.project/pull/11723\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/30\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Vendor Advisory\"]}]", sourceIdentifier: "emo@eclipse.org", vulnStatus: "Analyzed", weaknesses: "[{\"source\": \"emo@eclipse.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-770\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2024-8184\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2024-10-14T16:15:04.380\",\"lastModified\":\"2024-11-08T21:00:09.857\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de seguridad en ThreadLimitHandler.getRemote() de Jetty que puede ser explotada por usuarios no autorizados para provocar un ataque de denegación de servicio (DoS) remoto. Al enviar repetidamente solicitudes manipuladas, los atacantes pueden generar errores OutofMemory y agotar la memoria del servidor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.3.12\",\"versionEndExcluding\":\"9.4.56\",\"matchCriteriaId\":\"38EE28A7-83A2-4D16-A1D7-197C1680C234\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.0.24\",\"matchCriteriaId\":\"40B124FE-E76C-4612-8781-42CF3182E264\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndExcluding\":\"11.0.24\",\"matchCriteriaId\":\"43B96569-B73B-4765-994F-809E5AE1A3CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.0.9\",\"matchCriteriaId\":\"CDCB79ED-6D2F-4A37-BB89-41EABF18EAC1\"}]}]}],\"references\":[{\"url\":\"https://github.com/jetty/jetty.project/pull/11723\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://gitlab.eclipse.org/security/cve-assignement/-/issues/30\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Vendor Advisory\"]}]}}", vulnrichment: { containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8184\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-15T17:41:50.744158Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-15T17:41:57.293Z\"}}], \"cna\": {\"title\": \"Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"https://github.com/HRsGIT\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/jetty/jetty.project\", \"vendor\": \"Eclipse Foundation\", \"modules\": [\"jetty-server\"], \"product\": \"Jetty\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.3.12\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.4.55\"}, {\"status\": \"affected\", \"version\": \"10.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.0.23\"}, {\"status\": \"affected\", \"version\": \"11.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"11.0.23\"}, {\"status\": \"affected\", \"version\": \"12.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"12.0.8\"}], \"packageName\": \"org.eclipse.jetty:jetty-server\", \"collectionURL\": \"https://repo.maven.apache.org/maven2/\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-10-14T03:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq\"}, {\"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/30\"}, {\"url\": \"https://github.com/jetty/jetty.project/pull/11723\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Do not use ThreadLimitHandler.\\n\\nConsider use of QoSHandler instead to artificially limit resource utilization.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Do not use <code>ThreadLimitHandler</code>.<br>\\nConsider use of <code>QoSHandler</code> instead to artificially limit resource utilization.<br>\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"There exists a security vulnerability in Jetty's <code>ThreadLimitHandler.getRemote()</code> which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.<br>\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"shortName\": \"eclipse\", \"dateUpdated\": \"2024-10-14T15:30:02.698Z\"}}}", cveMetadata: "{\"cveId\": \"CVE-2024-8184\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-15T17:42:01.168Z\", \"dateReserved\": \"2024-08-26T15:58:44.006Z\", \"assignerOrgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"datePublished\": \"2024-10-14T15:09:37.861Z\", \"assignerShortName\": \"eclipse\"}", dataType: "CVE_RECORD", dataVersion: "5.1", }, }, }
suse-su-2024:3720-1
Vulnerability from csaf_suse
Published
2024-10-18 06:33
Modified
2024-10-18 06:33
Summary
Security update for jetty-minimal
Notes
Title of the patch
Security update for jetty-minimal
Description of the patch
This update for jetty-minimal fixes the following issues:
- CVE-2024-8184: Fixed remote denial-of-service in ThreadLimitHandler.getRemote() (bsc#1231651).
Patchnames
SUSE-2024-3720,SUSE-SLE-Module-Development-Tools-15-SP5-2024-3720,SUSE-SLE-Module-Development-Tools-15-SP6-2024-3720,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3720,openSUSE-SLE-15.5-2024-3720,openSUSE-SLE-15.6-2024-3720
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for jetty-minimal", title: "Title of the patch", }, { category: "description", text: "This update for jetty-minimal fixes the following issues:\n\n- CVE-2024-8184: Fixed remote denial-of-service in ThreadLimitHandler.getRemote() (bsc#1231651).\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2024-3720,SUSE-SLE-Module-Development-Tools-15-SP5-2024-3720,SUSE-SLE-Module-Development-Tools-15-SP6-2024-3720,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-3720,openSUSE-SLE-15.5-2024-3720,openSUSE-SLE-15.6-2024-3720", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_3720-1.json", }, { category: "self", summary: "URL for SUSE-SU-2024:3720-1", url: "https://www.suse.com/support/update/announcement/2024/suse-su-20243720-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2024:3720-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2024-October/019655.html", }, { category: "self", summary: "SUSE Bug 1231651", url: "https://bugzilla.suse.com/1231651", }, { category: "self", summary: "SUSE CVE CVE-2024-8184 page", url: "https://www.suse.com/security/cve/CVE-2024-8184/", }, ], title: "Security update for jetty-minimal", tracking: { current_release_date: "2024-10-18T06:33:56Z", generator: { date: "2024-10-18T06:33:56Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2024:3720-1", initial_release_date: "2024-10-18T06:33:56Z", revision_history: [ { date: "2024-10-18T06:33:56Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "jetty-annotations-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-annotations-9.4.56-150200.3.28.1.noarch", product_id: "jetty-annotations-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-ant-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-ant-9.4.56-150200.3.28.1.noarch", product_id: "jetty-ant-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-cdi-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-cdi-9.4.56-150200.3.28.1.noarch", product_id: "jetty-cdi-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-client-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-client-9.4.56-150200.3.28.1.noarch", product_id: "jetty-client-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-continuation-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-continuation-9.4.56-150200.3.28.1.noarch", product_id: "jetty-continuation-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-deploy-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-deploy-9.4.56-150200.3.28.1.noarch", product_id: "jetty-deploy-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-fcgi-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-fcgi-9.4.56-150200.3.28.1.noarch", product_id: "jetty-fcgi-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-http-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-http-9.4.56-150200.3.28.1.noarch", product_id: "jetty-http-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-http-spi-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-http-spi-9.4.56-150200.3.28.1.noarch", product_id: "jetty-http-spi-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-io-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-io-9.4.56-150200.3.28.1.noarch", product_id: "jetty-io-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-jaas-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-jaas-9.4.56-150200.3.28.1.noarch", product_id: "jetty-jaas-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-javax-websocket-client-impl-9.4.56-150200.3.28.2.noarch", product: { name: "jetty-javax-websocket-client-impl-9.4.56-150200.3.28.2.noarch", product_id: "jetty-javax-websocket-client-impl-9.4.56-150200.3.28.2.noarch", }, }, { category: "product_version", name: "jetty-javax-websocket-server-impl-9.4.56-150200.3.28.2.noarch", product: { name: "jetty-javax-websocket-server-impl-9.4.56-150200.3.28.2.noarch", product_id: "jetty-javax-websocket-server-impl-9.4.56-150200.3.28.2.noarch", }, }, { category: "product_version", name: "jetty-jmx-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-jmx-9.4.56-150200.3.28.1.noarch", product_id: "jetty-jmx-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-jndi-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-jndi-9.4.56-150200.3.28.1.noarch", product_id: "jetty-jndi-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-jsp-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-jsp-9.4.56-150200.3.28.1.noarch", product_id: "jetty-jsp-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", product_id: "jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-openid-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-openid-9.4.56-150200.3.28.1.noarch", product_id: "jetty-openid-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-plus-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-plus-9.4.56-150200.3.28.1.noarch", product_id: "jetty-plus-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-proxy-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-proxy-9.4.56-150200.3.28.1.noarch", product_id: "jetty-proxy-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-quickstart-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-quickstart-9.4.56-150200.3.28.1.noarch", product_id: "jetty-quickstart-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-rewrite-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-rewrite-9.4.56-150200.3.28.1.noarch", product_id: "jetty-rewrite-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-security-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-security-9.4.56-150200.3.28.1.noarch", product_id: "jetty-security-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-server-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-server-9.4.56-150200.3.28.1.noarch", product_id: "jetty-server-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-servlet-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-servlet-9.4.56-150200.3.28.1.noarch", product_id: "jetty-servlet-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-servlets-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-servlets-9.4.56-150200.3.28.1.noarch", product_id: "jetty-servlets-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-start-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-start-9.4.56-150200.3.28.1.noarch", product_id: "jetty-start-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-util-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-util-9.4.56-150200.3.28.1.noarch", product_id: "jetty-util-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch", product_id: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-webapp-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-webapp-9.4.56-150200.3.28.1.noarch", product_id: "jetty-webapp-9.4.56-150200.3.28.1.noarch", }, }, { category: "product_version", name: "jetty-websocket-api-9.4.56-150200.3.28.2.noarch", product: { name: "jetty-websocket-api-9.4.56-150200.3.28.2.noarch", product_id: "jetty-websocket-api-9.4.56-150200.3.28.2.noarch", }, }, { category: "product_version", name: "jetty-websocket-client-9.4.56-150200.3.28.2.noarch", product: { name: "jetty-websocket-client-9.4.56-150200.3.28.2.noarch", product_id: "jetty-websocket-client-9.4.56-150200.3.28.2.noarch", }, }, { category: "product_version", name: "jetty-websocket-common-9.4.56-150200.3.28.2.noarch", product: { name: "jetty-websocket-common-9.4.56-150200.3.28.2.noarch", product_id: "jetty-websocket-common-9.4.56-150200.3.28.2.noarch", }, }, { category: "product_version", name: "jetty-websocket-javadoc-9.4.56-150200.3.28.2.noarch", product: { name: "jetty-websocket-javadoc-9.4.56-150200.3.28.2.noarch", product_id: "jetty-websocket-javadoc-9.4.56-150200.3.28.2.noarch", }, }, { category: "product_version", name: "jetty-websocket-server-9.4.56-150200.3.28.2.noarch", product: { name: "jetty-websocket-server-9.4.56-150200.3.28.2.noarch", product_id: "jetty-websocket-server-9.4.56-150200.3.28.2.noarch", }, }, { category: "product_version", name: "jetty-websocket-servlet-9.4.56-150200.3.28.2.noarch", product: { name: "jetty-websocket-servlet-9.4.56-150200.3.28.2.noarch", product_id: "jetty-websocket-servlet-9.4.56-150200.3.28.2.noarch", }, }, { category: "product_version", name: "jetty-xml-9.4.56-150200.3.28.1.noarch", product: { name: "jetty-xml-9.4.56-150200.3.28.1.noarch", product_id: "jetty-xml-9.4.56-150200.3.28.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Development Tools 15 SP5", product: { name: "SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-development-tools:15:sp5", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Development Tools 15 SP6", product: { name: "SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-development-tools:15:sp6", }, }, }, { category: "product_name", name: "SUSE Linux Enterprise Module for Package Hub 15 SP6", product: { name: "SUSE Linux Enterprise Module for Package Hub 15 SP6", product_id: "SUSE Linux Enterprise Module for Package Hub 15 SP6", product_identification_helper: { cpe: "cpe:/o:suse:packagehub:15:sp6", }, }, }, { category: "product_name", name: "openSUSE Leap 15.5", product: { name: "openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.5", }, }, }, { category: "product_name", name: "openSUSE Leap 15.6", product: { name: "openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.6", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jetty-http-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-http-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-http-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP5", }, { category: "default_component_of", full_product_name: { name: "jetty-io-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-io-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-io-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP5", }, { category: "default_component_of", full_product_name: { name: "jetty-security-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-security-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-security-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP5", }, { category: "default_component_of", full_product_name: { name: "jetty-server-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-server-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-server-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP5", }, { category: "default_component_of", full_product_name: { name: "jetty-servlet-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-servlet-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-servlet-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP5", }, { category: "default_component_of", full_product_name: { name: "jetty-util-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-util-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-util-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP5", }, { category: "default_component_of", full_product_name: { name: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP5", }, { category: "default_component_of", full_product_name: { name: "jetty-http-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-http-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-http-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP6", }, { category: "default_component_of", full_product_name: { name: "jetty-io-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-io-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-io-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP6", }, { category: "default_component_of", full_product_name: { name: "jetty-security-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-security-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-security-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP6", }, { category: "default_component_of", full_product_name: { name: "jetty-server-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-server-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-server-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP6", }, { category: "default_component_of", full_product_name: { name: "jetty-servlet-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-servlet-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-servlet-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP6", }, { category: "default_component_of", full_product_name: { name: "jetty-util-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-util-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-util-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP6", }, { category: "default_component_of", full_product_name: { name: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP6", product_id: "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Development Tools 15 SP6", }, { category: "default_component_of", full_product_name: { name: "jetty-continuation-9.4.56-150200.3.28.1.noarch as component of SUSE Linux Enterprise Module for Package Hub 15 SP6", product_id: "SUSE Linux Enterprise Module for Package Hub 15 SP6:jetty-continuation-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-continuation-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Package Hub 15 SP6", }, { category: "default_component_of", full_product_name: { name: "jetty-annotations-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-annotations-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-annotations-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-ant-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-ant-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-ant-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-cdi-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-cdi-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-cdi-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-client-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-client-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-client-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-continuation-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-continuation-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-continuation-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-deploy-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-deploy-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-deploy-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-fcgi-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-fcgi-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-fcgi-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-http-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-http-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-http-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-http-spi-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-http-spi-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-http-spi-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-io-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-io-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-io-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-jaas-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-jaas-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-jaas-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-jmx-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-jmx-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-jmx-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-jndi-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-jndi-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-jndi-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-jsp-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-jsp-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-jsp-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-openid-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-openid-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-openid-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-plus-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-plus-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-plus-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-proxy-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-proxy-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-proxy-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-quickstart-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-quickstart-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-quickstart-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-rewrite-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-rewrite-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-rewrite-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-security-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-security-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-security-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-server-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-server-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-server-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-servlet-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-servlet-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-servlet-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-servlets-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-servlets-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-servlets-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-start-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-start-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-start-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-util-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-util-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-util-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-webapp-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-webapp-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-webapp-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-xml-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:jetty-xml-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-xml-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "jetty-annotations-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-annotations-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-annotations-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-ant-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-ant-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-ant-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-cdi-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-cdi-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-cdi-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-client-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-client-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-client-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-continuation-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-continuation-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-continuation-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-deploy-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-deploy-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-deploy-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-fcgi-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-fcgi-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-fcgi-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-http-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-http-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-http-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-http-spi-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-http-spi-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-http-spi-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-io-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-io-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-io-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-jaas-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-jaas-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-jaas-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-jmx-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-jmx-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-jmx-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-jndi-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-jndi-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-jndi-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-jsp-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-jsp-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-jsp-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-openid-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-openid-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-openid-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-plus-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-plus-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-plus-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-proxy-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-proxy-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-proxy-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-quickstart-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-quickstart-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-quickstart-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-rewrite-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-rewrite-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-rewrite-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-security-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-security-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-security-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-server-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-server-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-server-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-servlet-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-servlet-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-servlet-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-servlets-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-servlets-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-servlets-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-start-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-start-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-start-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-util-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-util-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-util-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-util-ajax-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-webapp-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-webapp-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-webapp-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, { category: "default_component_of", full_product_name: { name: "jetty-xml-9.4.56-150200.3.28.1.noarch as component of openSUSE Leap 15.6", product_id: "openSUSE Leap 15.6:jetty-xml-9.4.56-150200.3.28.1.noarch", }, product_reference: "jetty-xml-9.4.56-150200.3.28.1.noarch", relates_to_product_reference: "openSUSE Leap 15.6", }, ], }, vulnerabilities: [ { cve: "CVE-2024-8184", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-8184", }, ], notes: [ { category: "general", text: "There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-http-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-io-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-security-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-server-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-servlet-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-util-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-http-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-io-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-security-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-server-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-servlet-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-util-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP6:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-annotations-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-ant-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-cdi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-client-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-deploy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-fcgi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-http-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-http-spi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-io-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jaas-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jmx-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jndi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jsp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-openid-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-plus-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-proxy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-quickstart-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-rewrite-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-security-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-server-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-servlet-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-servlets-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-start-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-util-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-webapp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-xml-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-annotations-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-ant-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-cdi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-client-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-deploy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-fcgi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-http-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-http-spi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-io-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jaas-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jmx-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jndi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jsp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-openid-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-plus-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-proxy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-quickstart-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-rewrite-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-security-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-server-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-servlet-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-servlets-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-start-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-util-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-webapp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-xml-9.4.56-150200.3.28.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2024-8184", url: "https://www.suse.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "SUSE Bug 1231651 for CVE-2024-8184", url: "https://bugzilla.suse.com/1231651", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-http-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-io-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-security-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-server-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-servlet-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-util-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-http-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-io-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-security-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-server-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-servlet-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-util-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP6:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-annotations-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-ant-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-cdi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-client-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-deploy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-fcgi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-http-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-http-spi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-io-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jaas-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jmx-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jndi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jsp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-openid-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-plus-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-proxy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-quickstart-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-rewrite-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-security-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-server-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-servlet-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-servlets-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-start-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-util-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-webapp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-xml-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-annotations-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-ant-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-cdi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-client-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-deploy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-fcgi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-http-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-http-spi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-io-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jaas-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jmx-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jndi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jsp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-openid-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-plus-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-proxy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-quickstart-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-rewrite-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-security-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-server-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-servlet-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-servlets-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-start-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-util-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-webapp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-xml-9.4.56-150200.3.28.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-http-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-io-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-security-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-server-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-servlet-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-util-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP5:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-http-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-io-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-security-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-server-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-servlet-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-util-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Development Tools 15 SP6:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "SUSE Linux Enterprise Module for Package Hub 15 SP6:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-annotations-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-ant-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-cdi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-client-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-deploy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-fcgi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-http-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-http-spi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-io-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jaas-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jmx-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jndi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-jsp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-openid-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-plus-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-proxy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-quickstart-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-rewrite-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-security-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-server-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-servlet-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-servlets-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-start-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-util-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-webapp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.5:jetty-xml-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-annotations-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-ant-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-cdi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-client-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-continuation-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-deploy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-fcgi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-http-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-http-spi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-io-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jaas-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jmx-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jndi-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-jsp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-minimal-javadoc-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-openid-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-plus-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-proxy-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-quickstart-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-rewrite-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-security-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-server-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-servlet-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-servlets-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-start-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-util-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-util-ajax-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-webapp-9.4.56-150200.3.28.1.noarch", "openSUSE Leap 15.6:jetty-xml-9.4.56-150200.3.28.1.noarch", ], }, ], threats: [ { category: "impact", date: "2024-10-18T06:33:56Z", details: "moderate", }, ], title: "CVE-2024-8184", }, ], }
rhsa-2025:2416
Vulnerability from csaf_redhat
Published
2025-03-05 20:59
Modified
2025-04-17 08:36
Summary
Red Hat Security Advisory: Streams for Apache Kafka 2.9.0 release and security update
Notes
Topic
Streams for Apache Kafka 2.9.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat Streams for Apache Kafka 2.9.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.8.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Cruise Control:cio.netty:netty-common:4.1.115.Final-redhat [amq-st-2] "(CVE-2023-52428)"
* Cruise Control:com.nimbusds:nimbus-jose-jwt:9.37.2.redhat [amq-st-2] "(CVE-2024-47535)"
* Cruise Control:org.apache.kafka:kafka-clients:3.5.2.redhat+ [amq-st-2] "(CVE-2024-31141)"
* Cruise Control:io:commons-io:2.15.1.redhat+ [amq-st-2] "(CVE-2024-47554)"
* Cruise Control:org.eclipse.jetty:jetty-server:9.4.56.v20240826-redhat+ [amq-st-2] "(CVE-2024-8184)"
* Cruise Control:org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] "(CVE-2024-8184)"
* Kafka Exporter:golang-github-danielqsj-kafka_exporter: Golang FIPS zeroed buffer [amq-st-2] "(CVE-2024-9355)"
* Kafka Exporter:golang-github-danielqsj-kafka_exporter: net/http: Denial of service due to improper 100-continue handling in net/http [amq-st-2] "(CVE-2024-24791)"
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Streams for Apache Kafka 2.9.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat Streams for Apache Kafka 2.9.0 serves as a replacement for Red Hat Streams for Apache Kafka 2.8.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Cruise Control:cio.netty:netty-common:4.1.115.Final-redhat [amq-st-2] \"(CVE-2023-52428)\"\n\n* Cruise Control:com.nimbusds:nimbus-jose-jwt:9.37.2.redhat [amq-st-2] \"(CVE-2024-47535)\"\n\n* Cruise Control:org.apache.kafka:kafka-clients:3.5.2.redhat+ [amq-st-2] \"(CVE-2024-31141)\"\n\n* Cruise Control:io:commons-io:2.15.1.redhat+ [amq-st-2] \"(CVE-2024-47554)\"\n\n* Cruise Control:org.eclipse.jetty:jetty-server:9.4.56.v20240826-redhat+ [amq-st-2] \"(CVE-2024-8184)\"\n\n* Cruise Control:org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \"(CVE-2024-8184)\"\n\n* Kafka Exporter:golang-github-danielqsj-kafka_exporter: Golang FIPS zeroed buffer [amq-st-2] \"(CVE-2024-9355)\"\n\n* Kafka Exporter:golang-github-danielqsj-kafka_exporter: net/http: Denial of service due to improper 100-continue handling in net/http [amq-st-2] \"(CVE-2024-24791)\"", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2025:2416", url: "https://access.redhat.com/errata/RHSA-2025:2416", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2295310", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", }, { category: "external", summary: "2309764", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2309764", }, { category: "external", summary: "2315719", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2315719", }, { category: "external", summary: "2316271", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316271", }, { category: "external", summary: "2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "2325538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2325538", }, { category: "external", summary: "2327264", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2327264", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_2416.json", }, ], title: "Red Hat Security Advisory: Streams for Apache Kafka 2.9.0 release and security update", tracking: { current_release_date: "2025-04-17T08:36:09+00:00", generator: { date: "2025-04-17T08:36:09+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2025:2416", initial_release_date: "2025-03-05T20:59:06+00:00", revision_history: [ { date: "2025-03-05T20:59:06+00:00", number: "1", summary: "Initial version", }, { date: "2025-03-05T20:59:06+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-17T08:36:09+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Streams for Apache Kafka 2.9.0", product: { name: "Streams for Apache Kafka 2.9.0", product_id: "Streams for Apache Kafka 2.9.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2023-52428", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-09-04T17:02:58.468000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2309764", }, ], notes: [ { category: "description", text: "A vulnerability was found in the Nimbus Jose JWT package. This issue could allow an attacker to use a malicious large JWE p2c header value for PasswordBasedDecrypter and cause a Denial of Service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2023-52428", }, { category: "external", summary: "RHBZ#2309764", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2309764", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2023-52428", url: "https://www.cve.org/CVERecord?id=CVE-2023-52428", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-52428", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-52428", }, ], release_date: "2024-02-11T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-05T20:59:06+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2416", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.9.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "nimbus-jose-jwt: large JWE p2c header value causes Denial of Service", }, { cve: "CVE-2024-8184", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:01.239238+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318564", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "RHBZ#2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8184", url: "https://www.cve.org/CVERecord?id=CVE-2024-8184", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", }, { category: "external", summary: "https://github.com/jetty/jetty.project/pull/11723", url: "https://github.com/jetty/jetty.project/pull/11723", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], release_date: "2024-10-14T15:09:37.861000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-05T20:59:06+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2416", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", }, { acknowledgments: [ { names: [ "David Benoit", ], organization: "Red Hat", summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2024-9355", cwe: { id: "CWE-457", name: "Use of Uninitialized Variable", }, discovery_date: "2024-09-30T17:51:17.811000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2315719", }, ], notes: [ { category: "description", text: "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.", title: "Vulnerability description", }, { category: "summary", text: "golang-fips: Golang FIPS zeroed buffer", title: "Vulnerability summary", }, { category: "other", text: "This issue is specific to the Go language and only affects the test code in cri-o and conmon, not the production code. Since both projects use Go exclusively for testing purposes, this issue does not impact their production environment. Therefore, cri-o and conmon are not affected by this vulnerability.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-9355", }, { category: "external", summary: "RHBZ#2315719", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2315719", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-9355", url: "https://www.cve.org/CVERecord?id=CVE-2024-9355", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-9355", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-9355", }, ], release_date: "2024-09-30T20:53:42.833000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-05T20:59:06+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2416", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "golang-fips: Golang FIPS zeroed buffer", }, { cve: "CVE-2024-24791", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2024-07-02T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2295310", }, ], notes: [ { category: "description", text: "A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "net/http: Denial of service due to improper 100-continue handling in net/http", title: "Vulnerability summary", }, { category: "other", text: "An attacker would need to control a malicious server and induce a client to connect to it, requiring some amount of preparation outside of the attacker's control. This reduces the severity score of this flaw to Moderate.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-24791", }, { category: "external", summary: "RHBZ#2295310", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2295310", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-24791", url: "https://www.cve.org/CVERecord?id=CVE-2024-24791", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-24791", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-24791", }, { category: "external", summary: "https://go.dev/cl/591255", url: "https://go.dev/cl/591255", }, { category: "external", summary: "https://go.dev/issue/67555", url: "https://go.dev/issue/67555", }, { category: "external", summary: "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ", url: "https://groups.google.com/g/golang-dev/c/t0rK-qHBqzY/m/6MMoAZkMAgAJ", }, ], release_date: "2024-07-02T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-05T20:59:06+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2416", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.9.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "net/http: Denial of service due to improper 100-continue handling in net/http", }, { cve: "CVE-2024-31141", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2024-11-19T09:00:35.857468+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2327264", }, ], notes: [ { category: "description", text: "A flaw was found in Apache Kafka Clients. Apache Kafka Clients accepts configuration data for customizing behavior and includes ConfigProvider plugins to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations, which include the ability to read from disk or environment variables. In applications where an untrusted party can specify Apache Kafka Clients configurations, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.", title: "Vulnerability description", }, { category: "summary", text: "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-31141", }, { category: "external", summary: "RHBZ#2327264", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2327264", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-31141", url: "https://www.cve.org/CVERecord?id=CVE-2024-31141", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-31141", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-31141", }, { category: "external", summary: "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv", url: "https://lists.apache.org/thread/9whdzfr0zwdhr364604w5ssnzmg4v2lv", }, ], release_date: "2024-11-19T08:40:50.695000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-05T20:59:06+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2416", }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "Streams for Apache Kafka 2.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "kafka-clients: privilege escalation to filesystem read-access via automatic ConfigProvider", }, { cve: "CVE-2024-47535", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-11-12T16:01:18.772613+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2325538", }, ], notes: [ { category: "description", text: "A flaw was found in Netty. An unsafe reading of the environment file could potentially cause a denial of service. When loaded on a Windows application, Netty attempts to load a file that does not exist. If an attacker creates a large file, the Netty application crashes.", title: "Vulnerability description", }, { category: "summary", text: "netty: Denial of Service attack on windows app using Netty", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47535", }, { category: "external", summary: "RHBZ#2325538", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2325538", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47535", url: "https://www.cve.org/CVERecord?id=CVE-2024-47535", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47535", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47535", }, { category: "external", summary: "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3", url: "https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv", url: "https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv", }, ], release_date: "2024-11-12T15:50:08.334000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-05T20:59:06+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2416", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty: Denial of Service attack on windows app using Netty", }, { cve: "CVE-2024-47554", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-03T12:00:40.921058+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316271", }, ], notes: [ { category: "description", text: "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.9.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47554", }, { category: "external", summary: "RHBZ#2316271", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316271", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47554", url: "https://www.cve.org/CVERecord?id=CVE-2024-47554", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", }, { category: "external", summary: "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", url: "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", }, ], release_date: "2024-10-03T11:32:48.936000+00:00", remediations: [ { category: "vendor_fix", date: "2025-03-05T20:59:06+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.9.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2025:2416", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.9.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", }, ], }
rhsa-2024:9571
Vulnerability from csaf_redhat
Published
2024-11-13 16:21
Modified
2025-03-28 11:01
Summary
Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update
Notes
Topic
Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat
AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2]
"(CVE-2024-8184)"
* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] "(CVE-2024-9823)"
* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)"
* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users "(CVE-2024-7254)"
"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)"
* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. "(CVE-2024-8285)"
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat\nAMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \n\"(CVE-2024-8184)\"\n\n* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"\n\n* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"\n\n* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"\n\n\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"\n\n* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:9571", url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2308606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308606", }, { category: "external", summary: "2313454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2313454", }, { category: "external", summary: "2316271", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316271", }, { category: "external", summary: "2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "2318565", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318565", }, { category: "external", summary: "ASUI-91", url: "https://issues.redhat.com/browse/ASUI-91", }, { category: "external", summary: "ENTMQST-2632", url: "https://issues.redhat.com/browse/ENTMQST-2632", }, { category: "external", summary: "ENTMQST-3288", url: "https://issues.redhat.com/browse/ENTMQST-3288", }, { category: "external", summary: "ENTMQST-4019", url: "https://issues.redhat.com/browse/ENTMQST-4019", }, { category: "external", summary: "ENTMQST-5199", url: "https://issues.redhat.com/browse/ENTMQST-5199", }, { category: "external", summary: "ENTMQST-5669", url: "https://issues.redhat.com/browse/ENTMQST-5669", }, { category: "external", summary: "ENTMQST-5674", url: "https://issues.redhat.com/browse/ENTMQST-5674", }, { category: "external", summary: "ENTMQST-5740", url: "https://issues.redhat.com/browse/ENTMQST-5740", }, { category: "external", summary: "ENTMQST-5789", url: "https://issues.redhat.com/browse/ENTMQST-5789", }, { category: "external", summary: "ENTMQST-5843", url: "https://issues.redhat.com/browse/ENTMQST-5843", }, { category: "external", summary: "ENTMQST-5850", url: "https://issues.redhat.com/browse/ENTMQST-5850", }, { category: "external", summary: "ENTMQST-5863", url: "https://issues.redhat.com/browse/ENTMQST-5863", }, { category: "external", summary: "ENTMQST-5865", url: "https://issues.redhat.com/browse/ENTMQST-5865", }, { category: "external", summary: "ENTMQST-5915", url: "https://issues.redhat.com/browse/ENTMQST-5915", }, { category: "external", summary: "ENTMQST-6028", url: "https://issues.redhat.com/browse/ENTMQST-6028", }, { category: "external", summary: "ENTMQST-6032", url: "https://issues.redhat.com/browse/ENTMQST-6032", }, { category: "external", summary: "ENTMQST-6129", url: "https://issues.redhat.com/browse/ENTMQST-6129", }, { category: "external", summary: "ENTMQST-6183", url: "https://issues.redhat.com/browse/ENTMQST-6183", }, { category: "external", summary: "ENTMQST-6205", url: "https://issues.redhat.com/browse/ENTMQST-6205", }, { category: "external", summary: "ENTMQST-6225", url: "https://issues.redhat.com/browse/ENTMQST-6225", }, { category: "external", summary: "ENTMQST-6341", url: "https://issues.redhat.com/browse/ENTMQST-6341", }, { category: "external", summary: "ENTMQST-6421", url: "https://issues.redhat.com/browse/ENTMQST-6421", }, { category: "external", summary: "ENTMQST-6422", url: "https://issues.redhat.com/browse/ENTMQST-6422", }, { category: "external", summary: "ENTMQSTPR-43", url: "https://issues.redhat.com/browse/ENTMQSTPR-43", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json", }, ], title: "Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update", tracking: { current_release_date: "2025-03-28T11:01:17+00:00", generator: { date: "2025-03-28T11:01:17+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2024:9571", initial_release_date: "2024-11-13T16:21:03+00:00", revision_history: [ { date: "2024-11-13T16:21:03+00:00", number: "1", summary: "Initial version", }, { date: "2024-11-13T16:21:03+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-28T11:01:17+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Streams for Apache Kafka 2.8.0", product: { name: "Streams for Apache Kafka 2.8.0", product_id: "Streams for Apache Kafka 2.8.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-7254", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2024-09-19T01:20:29.981665+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2313454", }, ], notes: [ { category: "description", text: "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.", title: "Vulnerability description", }, { category: "summary", text: "protobuf: StackOverflow vulnerability in Protocol Buffers", title: "Vulnerability summary", }, { category: "other", text: "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack's capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-7254", }, { category: "external", summary: "RHBZ#2313454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2313454", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-7254", url: "https://www.cve.org/CVERecord?id=CVE-2024-7254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-7254", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-7254", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa", url: "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa", }, ], release_date: "2024-09-19T01:15:10.963000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "protobuf: StackOverflow vulnerability in Protocol Buffers", }, { cve: "CVE-2024-8184", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:01.239238+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318564", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "RHBZ#2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8184", url: "https://www.cve.org/CVERecord?id=CVE-2024-8184", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", }, { category: "external", summary: "https://github.com/jetty/jetty.project/pull/11723", url: "https://github.com/jetty/jetty.project/pull/11723", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], release_date: "2024-10-14T15:09:37.861000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", }, { cve: "CVE-2024-8285", cwe: { id: "CWE-297", name: "Improper Validation of Certificate with Host Mismatch", }, discovery_date: "2024-08-29T22:39:10.882000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2308606", }, ], notes: [ { category: "description", text: "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.", title: "Vulnerability description", }, { category: "summary", text: "kroxylicious: Missing upstream Kafka TLS hostname verification", title: "Vulnerability summary", }, { category: "other", text: "Red Hat have considered this vulnerability as a 'Moderate' severity given the complexity and the permission level required to perform a successful attacker.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8285", }, { category: "external", summary: "RHBZ#2308606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8285", url: "https://www.cve.org/CVERecord?id=CVE-2024-8285", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8285", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8285", }, ], release_date: "2024-08-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "kroxylicious: Missing upstream Kafka TLS hostname verification", }, { cve: "CVE-2024-9823", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:06.545771+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318565", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-9823", }, { category: "external", summary: "RHBZ#2318565", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318565", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-9823", url: "https://www.cve.org/CVERecord?id=CVE-2024-9823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-9823", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-9823", }, { category: "external", summary: "https://github.com/jetty/jetty.project/issues/1256", url: "https://github.com/jetty/jetty.project/issues/1256", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39", }, ], release_date: "2024-10-14T15:03:02.293000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, { cve: "CVE-2024-47554", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-03T12:00:40.921058+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316271", }, ], notes: [ { category: "description", text: "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47554", }, { category: "external", summary: "RHBZ#2316271", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316271", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47554", url: "https://www.cve.org/CVERecord?id=CVE-2024-47554", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", }, { category: "external", summary: "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", url: "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", }, ], release_date: "2024-10-03T11:32:48.936000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", }, ], }
rhsa-2024:11023
Vulnerability from csaf_redhat
Published
2024-12-12 20:00
Modified
2025-04-10 00:17
Summary
Red Hat Security Advisory: HawtIO 4.1.0 for Red Hat build of Apache Camel 4 Release and security update.
Notes
Topic
HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
* serve-static: Improper Sanitization in serve-static (CVE-2024-43800)
* send: Code Execution Vulnerability in Send Library (CVE-2024-43799)
* org.springframework/spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource (CVE-2024-38816)
* org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks (CVE-2024-8184)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
* braces: fails to limit the number of characters it can handle (CVE-2024-4068)
* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)
* path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296)
* express: Improper Input Handling in Express Redirects (CVE-2024-43796)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.\n\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.\n\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\n* serve-static: Improper Sanitization in serve-static (CVE-2024-43800)\n\n* send: Code Execution Vulnerability in Send Library (CVE-2024-43799)\n\n* org.springframework/spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource (CVE-2024-38816)\n\n* org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks (CVE-2024-8184)\n\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)\n\n* braces: fails to limit the number of characters it can handle (CVE-2024-4068)\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\n* path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296)\n\n* express: Improper Input Handling in Express Redirects (CVE-2024-43796)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:11023", url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "2280600", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2280600", }, { category: "external", summary: "2305290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2305290", }, { category: "external", summary: "2310908", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2310908", }, { category: "external", summary: "2311152", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311152", }, { category: "external", summary: "2311153", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311153", }, { category: "external", summary: "2311154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311154", }, { category: "external", summary: "2312060", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312060", }, { category: "external", summary: "2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_11023.json", }, ], title: "Red Hat Security Advisory: HawtIO 4.1.0 for Red Hat build of Apache Camel 4 Release and security update.", tracking: { current_release_date: "2025-04-10T00:17:18+00:00", generator: { date: "2025-04-10T00:17:18+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2024:11023", initial_release_date: "2024-12-12T20:00:23+00:00", revision_history: [ { date: "2024-12-12T20:00:23+00:00", number: "1", summary: "Initial version", }, { date: "2024-12-12T20:00:23+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-10T00:17:18+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product: { name: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product_id: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product_identification_helper: { cpe: "cpe:/a:redhat:rhboac_hawtio:4.0.0", }, }, }, ], category: "product_family", name: "Red Hat Build of Apache Camel", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-4068", cwe: { id: "CWE-1050", name: "Excessive Platform Resource Consumption within a Loop", }, discovery_date: "2024-05-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2280600", }, ], notes: [ { category: "description", text: "A flaw was found in the NPM package `braces.` It fails to limit the number of characters it can handle, which could lead to memory exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, causing the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", title: "Vulnerability description", }, { category: "summary", text: "braces: fails to limit the number of characters it can handle", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-4068", }, { category: "external", summary: "RHBZ#2280600", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2280600", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-4068", url: "https://www.cve.org/CVERecord?id=CVE-2024-4068", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", }, { category: "external", summary: "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", url: "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", }, { category: "external", summary: "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", url: "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", }, { category: "external", summary: "https://github.com/micromatch/braces/issues/35", url: "https://github.com/micromatch/braces/issues/35", }, ], release_date: "2024-03-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "braces: fails to limit the number of characters it can handle", }, { acknowledgments: [ { names: [ "BfC", ], }, ], cve: "CVE-2024-7885", cwe: { id: "CWE-362", name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", }, discovery_date: "2024-08-16T09:00:41.686000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2305290", }, ], notes: [ { category: "description", text: "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Improper State Management in Proxy Protocol parsing causes information leakage", title: "Vulnerability summary", }, { category: "other", text: "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-7885", }, { category: "external", summary: "RHBZ#2305290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2305290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-7885", url: "https://www.cve.org/CVERecord?id=CVE-2024-7885", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-7885", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-7885", }, ], release_date: "2024-08-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "undertow: Improper State Management in Proxy Protocol parsing causes information leakage", }, { cve: "CVE-2024-8184", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:01.239238+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318564", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "RHBZ#2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8184", url: "https://www.cve.org/CVERecord?id=CVE-2024-8184", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", }, { category: "external", summary: "https://github.com/jetty/jetty.project/pull/11723", url: "https://github.com/jetty/jetty.project/pull/11723", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], release_date: "2024-10-14T15:09:37.861000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", }, { cve: "CVE-2024-38816", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2024-09-13T06:20:08.422867+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2312060", }, ], notes: [ { category: "description", text: "A flaw was found in Spring applications using the WebMvc.fn or WebFlux.fn frameworks. This issue can allow attackers to perform path traversal attacks via crafted HTTP requests when the application serves static resources using RouterFunctions and explicitly configures resource handling with a FileSystemResource location.", title: "Vulnerability description", }, { category: "summary", text: "spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource", title: "Vulnerability summary", }, { category: "other", text: "Path traversal vulnerabilities in applications that serve static resources via RouterFunctions and FileSystemResource pose a important security risk, as they allow attackers to bypass access controls and retrieve arbitrary files from the server's filesystem. This type of attack can lead to unauthorized exposure of sensitive data, such as configuration files, environment variables, or authentication credentials. If exploited, it can further facilitate privilege escalation, lateral movement, or remote code execution within the system. Given the broad access it grants to the server's filesystem, the potential for system compromise makes path traversal vulnerabilities a high-severity issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-38816", }, { category: "external", summary: "RHBZ#2312060", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312060", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-38816", url: "https://www.cve.org/CVERecord?id=CVE-2024-38816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-38816", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-38816", }, { category: "external", summary: "https://spring.io/security/cve-2024-38816", url: "https://spring.io/security/cve-2024-38816", }, ], release_date: "2024-09-13T06:15:11.190000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource", }, { cve: "CVE-2024-43796", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:28.106254+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311152", }, ], notes: [ { category: "description", text: "A flaw was found in Express. This vulnerability allows untrusted code execution via passing untrusted user input to response.redirect(), even if the input is sanitized.", title: "Vulnerability description", }, { category: "summary", text: "express: Improper Input Handling in Express Redirects", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43796", }, { category: "external", summary: "RHBZ#2311152", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311152", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43796", url: "https://www.cve.org/CVERecord?id=CVE-2024-43796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", }, { category: "external", summary: "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", url: "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", }, { category: "external", summary: "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", url: "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", }, ], release_date: "2024-09-10T15:15:17.510000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "express: Improper Input Handling in Express Redirects", }, { cve: "CVE-2024-43799", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:30.869487+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311153", }, ], notes: [ { category: "description", text: "A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.", title: "Vulnerability description", }, { category: "summary", text: "send: Code Execution Vulnerability in Send Library", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43799", }, { category: "external", summary: "RHBZ#2311153", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311153", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43799", url: "https://www.cve.org/CVERecord?id=CVE-2024-43799", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", }, { category: "external", summary: "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", url: "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", }, { category: "external", summary: "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", url: "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", }, ], release_date: "2024-09-10T15:15:17.727000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "send: Code Execution Vulnerability in Send Library", }, { cve: "CVE-2024-43800", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:33.631718+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311154", }, ], notes: [ { category: "description", text: "A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().", title: "Vulnerability description", }, { category: "summary", text: "serve-static: Improper Sanitization in serve-static", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43800", }, { category: "external", summary: "RHBZ#2311154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43800", url: "https://www.cve.org/CVERecord?id=CVE-2024-43800", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", }, { category: "external", summary: "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", url: "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", }, { category: "external", summary: "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", url: "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", }, { category: "external", summary: "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", url: "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", }, ], release_date: "2024-09-10T15:15:17.937000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "serve-static: Improper Sanitization in serve-static", }, { cve: "CVE-2024-45296", cwe: { id: "CWE-1333", name: "Inefficient Regular Expression Complexity", }, discovery_date: "2024-09-09T19:20:18.127723+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2310908", }, ], notes: [ { category: "description", text: "A flaw was found in path-to-regexp package, where it turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single-threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "path-to-regexp: Backtracking regular expressions cause ReDoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-45296", }, { category: "external", summary: "RHBZ#2310908", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2310908", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-45296", url: "https://www.cve.org/CVERecord?id=CVE-2024-45296", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", url: "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", url: "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", url: "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", }, ], release_date: "2024-09-09T19:15:13.330000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "path-to-regexp: Backtracking regular expressions cause ReDoS", }, ], }
RHSA-2024:9571
Vulnerability from csaf_redhat
Published
2024-11-13 16:21
Modified
2025-03-28 11:01
Summary
Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update
Notes
Topic
Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat
AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2]
"(CVE-2024-8184)"
* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] "(CVE-2024-9823)"
* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)"
* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users "(CVE-2024-7254)"
"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)"
* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. "(CVE-2024-8285)"
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat\nAMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \n\"(CVE-2024-8184)\"\n\n* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"\n\n* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"\n\n* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"\n\n\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"\n\n* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:9571", url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2308606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308606", }, { category: "external", summary: "2313454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2313454", }, { category: "external", summary: "2316271", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316271", }, { category: "external", summary: "2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "2318565", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318565", }, { category: "external", summary: "ASUI-91", url: "https://issues.redhat.com/browse/ASUI-91", }, { category: "external", summary: "ENTMQST-2632", url: "https://issues.redhat.com/browse/ENTMQST-2632", }, { category: "external", summary: "ENTMQST-3288", url: "https://issues.redhat.com/browse/ENTMQST-3288", }, { category: "external", summary: "ENTMQST-4019", url: "https://issues.redhat.com/browse/ENTMQST-4019", }, { category: "external", summary: "ENTMQST-5199", url: "https://issues.redhat.com/browse/ENTMQST-5199", }, { category: "external", summary: "ENTMQST-5669", url: "https://issues.redhat.com/browse/ENTMQST-5669", }, { category: "external", summary: "ENTMQST-5674", url: "https://issues.redhat.com/browse/ENTMQST-5674", }, { category: "external", summary: "ENTMQST-5740", url: "https://issues.redhat.com/browse/ENTMQST-5740", }, { category: "external", summary: "ENTMQST-5789", url: "https://issues.redhat.com/browse/ENTMQST-5789", }, { category: "external", summary: "ENTMQST-5843", url: "https://issues.redhat.com/browse/ENTMQST-5843", }, { category: "external", summary: "ENTMQST-5850", url: "https://issues.redhat.com/browse/ENTMQST-5850", }, { category: "external", summary: "ENTMQST-5863", url: "https://issues.redhat.com/browse/ENTMQST-5863", }, { category: "external", summary: "ENTMQST-5865", url: "https://issues.redhat.com/browse/ENTMQST-5865", }, { category: "external", summary: "ENTMQST-5915", url: "https://issues.redhat.com/browse/ENTMQST-5915", }, { category: "external", summary: "ENTMQST-6028", url: "https://issues.redhat.com/browse/ENTMQST-6028", }, { category: "external", summary: "ENTMQST-6032", url: "https://issues.redhat.com/browse/ENTMQST-6032", }, { category: "external", summary: "ENTMQST-6129", url: "https://issues.redhat.com/browse/ENTMQST-6129", }, { category: "external", summary: "ENTMQST-6183", url: "https://issues.redhat.com/browse/ENTMQST-6183", }, { category: "external", summary: "ENTMQST-6205", url: "https://issues.redhat.com/browse/ENTMQST-6205", }, { category: "external", summary: "ENTMQST-6225", url: "https://issues.redhat.com/browse/ENTMQST-6225", }, { category: "external", summary: "ENTMQST-6341", url: "https://issues.redhat.com/browse/ENTMQST-6341", }, { category: "external", summary: "ENTMQST-6421", url: "https://issues.redhat.com/browse/ENTMQST-6421", }, { category: "external", summary: "ENTMQST-6422", url: "https://issues.redhat.com/browse/ENTMQST-6422", }, { category: "external", summary: "ENTMQSTPR-43", url: "https://issues.redhat.com/browse/ENTMQSTPR-43", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json", }, ], title: "Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update", tracking: { current_release_date: "2025-03-28T11:01:17+00:00", generator: { date: "2025-03-28T11:01:17+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2024:9571", initial_release_date: "2024-11-13T16:21:03+00:00", revision_history: [ { date: "2024-11-13T16:21:03+00:00", number: "1", summary: "Initial version", }, { date: "2024-11-13T16:21:03+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-28T11:01:17+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Streams for Apache Kafka 2.8.0", product: { name: "Streams for Apache Kafka 2.8.0", product_id: "Streams for Apache Kafka 2.8.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-7254", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2024-09-19T01:20:29.981665+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2313454", }, ], notes: [ { category: "description", text: "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.", title: "Vulnerability description", }, { category: "summary", text: "protobuf: StackOverflow vulnerability in Protocol Buffers", title: "Vulnerability summary", }, { category: "other", text: "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack's capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-7254", }, { category: "external", summary: "RHBZ#2313454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2313454", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-7254", url: "https://www.cve.org/CVERecord?id=CVE-2024-7254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-7254", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-7254", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa", url: "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa", }, ], release_date: "2024-09-19T01:15:10.963000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "protobuf: StackOverflow vulnerability in Protocol Buffers", }, { cve: "CVE-2024-8184", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:01.239238+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318564", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "RHBZ#2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8184", url: "https://www.cve.org/CVERecord?id=CVE-2024-8184", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", }, { category: "external", summary: "https://github.com/jetty/jetty.project/pull/11723", url: "https://github.com/jetty/jetty.project/pull/11723", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], release_date: "2024-10-14T15:09:37.861000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", }, { cve: "CVE-2024-8285", cwe: { id: "CWE-297", name: "Improper Validation of Certificate with Host Mismatch", }, discovery_date: "2024-08-29T22:39:10.882000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2308606", }, ], notes: [ { category: "description", text: "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.", title: "Vulnerability description", }, { category: "summary", text: "kroxylicious: Missing upstream Kafka TLS hostname verification", title: "Vulnerability summary", }, { category: "other", text: "Red Hat have considered this vulnerability as a 'Moderate' severity given the complexity and the permission level required to perform a successful attacker.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8285", }, { category: "external", summary: "RHBZ#2308606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8285", url: "https://www.cve.org/CVERecord?id=CVE-2024-8285", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8285", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8285", }, ], release_date: "2024-08-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "kroxylicious: Missing upstream Kafka TLS hostname verification", }, { cve: "CVE-2024-9823", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:06.545771+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318565", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-9823", }, { category: "external", summary: "RHBZ#2318565", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318565", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-9823", url: "https://www.cve.org/CVERecord?id=CVE-2024-9823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-9823", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-9823", }, { category: "external", summary: "https://github.com/jetty/jetty.project/issues/1256", url: "https://github.com/jetty/jetty.project/issues/1256", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39", }, ], release_date: "2024-10-14T15:03:02.293000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, { cve: "CVE-2024-47554", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-03T12:00:40.921058+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316271", }, ], notes: [ { category: "description", text: "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47554", }, { category: "external", summary: "RHBZ#2316271", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316271", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47554", url: "https://www.cve.org/CVERecord?id=CVE-2024-47554", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", }, { category: "external", summary: "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", url: "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", }, ], release_date: "2024-10-03T11:32:48.936000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", }, ], }
rhsa-2024_11023
Vulnerability from csaf_redhat
Published
2024-12-12 20:00
Modified
2024-12-18 05:41
Summary
Red Hat Security Advisory: HawtIO 4.1.0 for Red Hat build of Apache Camel 4 Release and security update.
Notes
Topic
HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
* serve-static: Improper Sanitization in serve-static (CVE-2024-43800)
* send: Code Execution Vulnerability in Send Library (CVE-2024-43799)
* org.springframework/spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource (CVE-2024-38816)
* org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks (CVE-2024-8184)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
* braces: fails to limit the number of characters it can handle (CVE-2024-4068)
* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)
* path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296)
* express: Improper Input Handling in Express Redirects (CVE-2024-43796)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.\n\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.\n\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\n* serve-static: Improper Sanitization in serve-static (CVE-2024-43800)\n\n* send: Code Execution Vulnerability in Send Library (CVE-2024-43799)\n\n* org.springframework/spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource (CVE-2024-38816)\n\n* org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks (CVE-2024-8184)\n\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)\n\n* braces: fails to limit the number of characters it can handle (CVE-2024-4068)\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\n* path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296)\n\n* express: Improper Input Handling in Express Redirects (CVE-2024-43796)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:11023", url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "2280600", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2280600", }, { category: "external", summary: "2305290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2305290", }, { category: "external", summary: "2310908", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2310908", }, { category: "external", summary: "2311152", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311152", }, { category: "external", summary: "2311153", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311153", }, { category: "external", summary: "2311154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311154", }, { category: "external", summary: "2312060", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312060", }, { category: "external", summary: "2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_11023.json", }, ], title: "Red Hat Security Advisory: HawtIO 4.1.0 for Red Hat build of Apache Camel 4 Release and security update.", tracking: { current_release_date: "2024-12-18T05:41:54+00:00", generator: { date: "2024-12-18T05:41:54+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2024:11023", initial_release_date: "2024-12-12T20:00:23+00:00", revision_history: [ { date: "2024-12-12T20:00:23+00:00", number: "1", summary: "Initial version", }, { date: "2024-12-12T20:00:23+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-18T05:41:54+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product: { name: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product_id: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product_identification_helper: { cpe: "cpe:/a:redhat:rhboac_hawtio:4.0.0", }, }, }, ], category: "product_family", name: "Red Hat Build of Apache Camel", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-4068", cwe: { id: "CWE-1050", name: "Excessive Platform Resource Consumption within a Loop", }, discovery_date: "2024-05-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2280600", }, ], notes: [ { category: "description", text: "A flaw was found in the NPM package `braces.` It fails to limit the number of characters it can handle, which could lead to memory exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, causing the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", title: "Vulnerability description", }, { category: "summary", text: "braces: fails to limit the number of characters it can handle", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-4068", }, { category: "external", summary: "RHBZ#2280600", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2280600", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-4068", url: "https://www.cve.org/CVERecord?id=CVE-2024-4068", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", }, { category: "external", summary: "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", url: "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", }, { category: "external", summary: "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", url: "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", }, { category: "external", summary: "https://github.com/micromatch/braces/issues/35", url: "https://github.com/micromatch/braces/issues/35", }, ], release_date: "2024-03-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "braces: fails to limit the number of characters it can handle", }, { acknowledgments: [ { names: [ "BfC", ], }, ], cve: "CVE-2024-7885", cwe: { id: "CWE-362", name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", }, discovery_date: "2024-08-16T09:00:41.686000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2305290", }, ], notes: [ { category: "description", text: "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Improper State Management in Proxy Protocol parsing causes information leakage", title: "Vulnerability summary", }, { category: "other", text: "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-7885", }, { category: "external", summary: "RHBZ#2305290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2305290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-7885", url: "https://www.cve.org/CVERecord?id=CVE-2024-7885", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-7885", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-7885", }, ], release_date: "2024-08-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "undertow: Improper State Management in Proxy Protocol parsing causes information leakage", }, { cve: "CVE-2024-8184", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:01.239238+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318564", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "RHBZ#2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8184", url: "https://www.cve.org/CVERecord?id=CVE-2024-8184", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", }, { category: "external", summary: "https://github.com/jetty/jetty.project/pull/11723", url: "https://github.com/jetty/jetty.project/pull/11723", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], release_date: "2024-10-14T15:09:37.861000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", }, { cve: "CVE-2024-38816", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2024-09-13T06:20:08.422867+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2312060", }, ], notes: [ { category: "description", text: "A flaw was found in Spring applications using the WebMvc.fn or WebFlux.fn frameworks. This issue can allow attackers to perform path traversal attacks via crafted HTTP requests when the application serves static resources using RouterFunctions and explicitly configures resource handling with a FileSystemResource location.", title: "Vulnerability description", }, { category: "summary", text: "spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource", title: "Vulnerability summary", }, { category: "other", text: "Path traversal vulnerabilities in applications that serve static resources via RouterFunctions and FileSystemResource pose a important security risk, as they allow attackers to bypass access controls and retrieve arbitrary files from the server's filesystem. This type of attack can lead to unauthorized exposure of sensitive data, such as configuration files, environment variables, or authentication credentials. If exploited, it can further facilitate privilege escalation, lateral movement, or remote code execution within the system. Given the broad access it grants to the server's filesystem, the potential for system compromise makes path traversal vulnerabilities a high-severity issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-38816", }, { category: "external", summary: "RHBZ#2312060", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312060", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-38816", url: "https://www.cve.org/CVERecord?id=CVE-2024-38816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-38816", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-38816", }, { category: "external", summary: "https://spring.io/security/cve-2024-38816", url: "https://spring.io/security/cve-2024-38816", }, ], release_date: "2024-09-13T06:15:11.190000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource", }, { cve: "CVE-2024-43796", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:28.106254+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311152", }, ], notes: [ { category: "description", text: "A flaw was found in Express. This vulnerability allows untrusted code execution via passing untrusted user input to response.redirect(), even if the input is sanitized.", title: "Vulnerability description", }, { category: "summary", text: "express: Improper Input Handling in Express Redirects", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43796", }, { category: "external", summary: "RHBZ#2311152", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311152", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43796", url: "https://www.cve.org/CVERecord?id=CVE-2024-43796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", }, { category: "external", summary: "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", url: "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", }, { category: "external", summary: "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", url: "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", }, ], release_date: "2024-09-10T15:15:17.510000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "express: Improper Input Handling in Express Redirects", }, { cve: "CVE-2024-43799", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:30.869487+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311153", }, ], notes: [ { category: "description", text: "A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.", title: "Vulnerability description", }, { category: "summary", text: "send: Code Execution Vulnerability in Send Library", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43799", }, { category: "external", summary: "RHBZ#2311153", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311153", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43799", url: "https://www.cve.org/CVERecord?id=CVE-2024-43799", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", }, { category: "external", summary: "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", url: "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", }, { category: "external", summary: "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", url: "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", }, ], release_date: "2024-09-10T15:15:17.727000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "send: Code Execution Vulnerability in Send Library", }, { cve: "CVE-2024-43800", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:33.631718+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311154", }, ], notes: [ { category: "description", text: "A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().", title: "Vulnerability description", }, { category: "summary", text: "serve-static: Improper Sanitization in serve-static", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43800", }, { category: "external", summary: "RHBZ#2311154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43800", url: "https://www.cve.org/CVERecord?id=CVE-2024-43800", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", }, { category: "external", summary: "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", url: "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", }, { category: "external", summary: "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", url: "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", }, { category: "external", summary: "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", url: "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", }, ], release_date: "2024-09-10T15:15:17.937000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "serve-static: Improper Sanitization in serve-static", }, { cve: "CVE-2024-45296", cwe: { id: "CWE-1333", name: "Inefficient Regular Expression Complexity", }, discovery_date: "2024-09-09T19:20:18.127723+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2310908", }, ], notes: [ { category: "description", text: "A flaw was found in path-to-regexp package, where it turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single-threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "path-to-regexp: Backtracking regular expressions cause ReDoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-45296", }, { category: "external", summary: "RHBZ#2310908", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2310908", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-45296", url: "https://www.cve.org/CVERecord?id=CVE-2024-45296", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", url: "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", url: "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", url: "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", }, ], release_date: "2024-09-09T19:15:13.330000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "path-to-regexp: Backtracking regular expressions cause ReDoS", }, ], }
rhsa-2024_9571
Vulnerability from csaf_redhat
Published
2024-11-13 16:21
Modified
2024-12-17 08:38
Summary
Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update
Notes
Topic
Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed
backbone that allows microservices and other applications to share data with
extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat
AMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2]
"(CVE-2024-8184)"
* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] "(CVE-2024-9823)"
* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader "(CVE-2024-47554)"
* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users "(CVE-2024-7254)"
"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)"
* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. "(CVE-2024-8285)"
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Streams for Apache Kafka 2.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Streams for Apache Kafka, based on the Apache Kafka project, offers a distributed\nbackbone that allows microservices and other applications to share data with\nextremely high throughput and extremely low latency.\n\nThis release of Red Hat AMQ Streams 2.8.0 serves as a replacement for Red Hat\nAMQ Streams 2.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n* Zookeeper, Kafka, Cruise Control: org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks [amq-st-2] \n\"(CVE-2024-8184)\"\n\n* Zookeeper, Kafka : org.eclipse.jetty/jetty-servlets: Jetty DOS vulnerability on DosFilter [amq-st-2] \"(CVE-2024-9823)\"\n\n* Zookeeper, Kafka, Drain Cleaner, Cruise Control: Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader \"(CVE-2024-47554)\"\n\n* Kafka: (com.google.protobuf:protobuf-java@3.23.4). Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users \"(CVE-2024-7254)\"\n\n\"Drain Cleaner: Awaiting Analysis(CVE-2024-29025)\"\n\n* Kroxylicoius: When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. \"(CVE-2024-8285)\"", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:9571", url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "2308606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308606", }, { category: "external", summary: "2313454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2313454", }, { category: "external", summary: "2316271", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316271", }, { category: "external", summary: "2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "2318565", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318565", }, { category: "external", summary: "ASUI-91", url: "https://issues.redhat.com/browse/ASUI-91", }, { category: "external", summary: "ENTMQST-2632", url: "https://issues.redhat.com/browse/ENTMQST-2632", }, { category: "external", summary: "ENTMQST-3288", url: "https://issues.redhat.com/browse/ENTMQST-3288", }, { category: "external", summary: "ENTMQST-4019", url: "https://issues.redhat.com/browse/ENTMQST-4019", }, { category: "external", summary: "ENTMQST-5199", url: "https://issues.redhat.com/browse/ENTMQST-5199", }, { category: "external", summary: "ENTMQST-5669", url: "https://issues.redhat.com/browse/ENTMQST-5669", }, { category: "external", summary: "ENTMQST-5674", url: "https://issues.redhat.com/browse/ENTMQST-5674", }, { category: "external", summary: "ENTMQST-5740", url: "https://issues.redhat.com/browse/ENTMQST-5740", }, { category: "external", summary: "ENTMQST-5789", url: "https://issues.redhat.com/browse/ENTMQST-5789", }, { category: "external", summary: "ENTMQST-5843", url: "https://issues.redhat.com/browse/ENTMQST-5843", }, { category: "external", summary: "ENTMQST-5850", url: "https://issues.redhat.com/browse/ENTMQST-5850", }, { category: "external", summary: "ENTMQST-5863", url: "https://issues.redhat.com/browse/ENTMQST-5863", }, { category: "external", summary: "ENTMQST-5865", url: "https://issues.redhat.com/browse/ENTMQST-5865", }, { category: "external", summary: "ENTMQST-5915", url: "https://issues.redhat.com/browse/ENTMQST-5915", }, { category: "external", summary: "ENTMQST-6028", url: "https://issues.redhat.com/browse/ENTMQST-6028", }, { category: "external", summary: "ENTMQST-6032", url: "https://issues.redhat.com/browse/ENTMQST-6032", }, { category: "external", summary: "ENTMQST-6129", url: "https://issues.redhat.com/browse/ENTMQST-6129", }, { category: "external", summary: "ENTMQST-6183", url: "https://issues.redhat.com/browse/ENTMQST-6183", }, { category: "external", summary: "ENTMQST-6205", url: "https://issues.redhat.com/browse/ENTMQST-6205", }, { category: "external", summary: "ENTMQST-6225", url: "https://issues.redhat.com/browse/ENTMQST-6225", }, { category: "external", summary: "ENTMQST-6341", url: "https://issues.redhat.com/browse/ENTMQST-6341", }, { category: "external", summary: "ENTMQST-6421", url: "https://issues.redhat.com/browse/ENTMQST-6421", }, { category: "external", summary: "ENTMQST-6422", url: "https://issues.redhat.com/browse/ENTMQST-6422", }, { category: "external", summary: "ENTMQSTPR-43", url: "https://issues.redhat.com/browse/ENTMQSTPR-43", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9571.json", }, ], title: "Red Hat Security Advisory: Streams for Apache Kafka 2.8.0 release and security update", tracking: { current_release_date: "2024-12-17T08:38:18+00:00", generator: { date: "2024-12-17T08:38:18+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2024:9571", initial_release_date: "2024-11-13T16:21:03+00:00", revision_history: [ { date: "2024-11-13T16:21:03+00:00", number: "1", summary: "Initial version", }, { date: "2024-11-13T16:21:03+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-17T08:38:18+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Streams for Apache Kafka 2.8.0", product: { name: "Streams for Apache Kafka 2.8.0", product_id: "Streams for Apache Kafka 2.8.0", product_identification_helper: { cpe: "cpe:/a:redhat:amq_streams:2", }, }, }, ], category: "product_family", name: "Streams for Apache Kafka", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-7254", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2024-09-19T01:20:29.981665+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2313454", }, ], notes: [ { category: "description", text: "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.", title: "Vulnerability description", }, { category: "summary", text: "protobuf: StackOverflow vulnerability in Protocol Buffers", title: "Vulnerability summary", }, { category: "other", text: "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack's capacity, causing the application to crash or become unresponsive.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-7254", }, { category: "external", summary: "RHBZ#2313454", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2313454", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-7254", url: "https://www.cve.org/CVERecord?id=CVE-2024-7254", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-7254", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-7254", }, { category: "external", summary: "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa", url: "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa", }, ], release_date: "2024-09-19T01:15:10.963000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "protobuf: StackOverflow vulnerability in Protocol Buffers", }, { cve: "CVE-2024-8184", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:01.239238+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318564", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "RHBZ#2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8184", url: "https://www.cve.org/CVERecord?id=CVE-2024-8184", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", }, { category: "external", summary: "https://github.com/jetty/jetty.project/pull/11723", url: "https://github.com/jetty/jetty.project/pull/11723", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], release_date: "2024-10-14T15:09:37.861000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", }, { cve: "CVE-2024-8285", cwe: { id: "CWE-297", name: "Improper Validation of Certificate with Host Mismatch", }, discovery_date: "2024-08-29T22:39:10.882000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2308606", }, ], notes: [ { category: "description", text: "A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the attack would need access to the Kroxylicious configuration or a peer system. The result of a successful attack impacts both data integrity and confidentiality.", title: "Vulnerability description", }, { category: "summary", text: "kroxylicious: Missing upstream Kafka TLS hostname verification", title: "Vulnerability summary", }, { category: "other", text: "Red Hat have considered this vulnerability as a 'Moderate' severity given the complexity and the permission level required to perform a successful attacker.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8285", }, { category: "external", summary: "RHBZ#2308606", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2308606", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8285", url: "https://www.cve.org/CVERecord?id=CVE-2024-8285", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8285", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8285", }, ], release_date: "2024-08-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "kroxylicious: Missing upstream Kafka TLS hostname verification", }, { cve: "CVE-2024-9823", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:06.545771+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318565", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty. The DosFilter can be exploited remotely by unauthorized users to trigger an out-of-memory condition by repeatedly sending specially crafted requests. This issue may cause a crash, leading to a denial of service.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-9823", }, { category: "external", summary: "RHBZ#2318565", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318565", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-9823", url: "https://www.cve.org/CVERecord?id=CVE-2024-9823", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-9823", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-9823", }, { category: "external", summary: "https://github.com/jetty/jetty.project/issues/1256", url: "https://github.com/jetty/jetty.project/issues/1256", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/39", }, ], release_date: "2024-10-14T15:03:02.293000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-servlets: jetty: Jetty DOS vulnerability on DosFilter", }, { cve: "CVE-2024-29025", cwe: { id: "CWE-770", name: "Allocation of Resources Without Limits or Throttling", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2272907", }, ], notes: [ { category: "description", text: "A flaw was found in the io.netty:netty-codec-http package. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling issues due to the accumulation of data in the HttpPostRequestDecoder. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, allowing data to accumulate without limits. This flaw allows an attacker to cause a denial of service by sending a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list.", title: "Vulnerability description", }, { category: "summary", text: "netty-codec-http: Allocation of Resources Without Limits or Throttling", title: "Vulnerability summary", }, { category: "other", text: "The vulnerability in io.netty:netty-codec-http, allowing for Allocation of Resources Without Limits or Throttling issues, is assessed as moderate severity due to its potential impact on system availability and performance. By exploiting the flaw in HttpPostRequestDecoder, an attacker can craft chunked POST requests with numerous small fields, causing excessive accumulation of data in memory buffers. This unrestricted accumulation can lead to significant memory consumption on the server, potentially exhausting available resources and resulting in denial of service (DoS) conditions.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-29025", }, { category: "external", summary: "RHBZ#2272907", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2272907", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-29025", url: "https://www.cve.org/CVERecord?id=CVE-2024-29025", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-29025", }, { category: "external", summary: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", url: "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3", }, { category: "external", summary: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", url: "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c", }, { category: "external", summary: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", url: "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v", }, { category: "external", summary: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", url: "https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-6483812", }, ], release_date: "2024-03-25T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "Streams for Apache Kafka 2.8.0", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "netty-codec-http: Allocation of Resources Without Limits or Throttling", }, { cve: "CVE-2024-47554", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-03T12:00:40.921058+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2316271", }, ], notes: [ { category: "description", text: "A vulnerability was found in the Apache Commons IO component in the org.apache.commons.io.input.XmlStreamReader class. Excessive CPU resource consumption can lead to a denial of service when an untrusted input is processed.", title: "Vulnerability description", }, { category: "summary", text: "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Streams for Apache Kafka 2.8.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-47554", }, { category: "external", summary: "RHBZ#2316271", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2316271", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-47554", url: "https://www.cve.org/CVERecord?id=CVE-2024-47554", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", }, { category: "external", summary: "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", url: "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", }, ], release_date: "2024-10-03T11:32:48.936000+00:00", remediations: [ { category: "vendor_fix", date: "2024-11-13T16:21:03+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "Streams for Apache Kafka 2.8.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:9571", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "Streams for Apache Kafka 2.8.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "apache-commons-io: Possible denial of service attack on untrusted input to XmlStreamReader", }, ], }
RHSA-2024:11023
Vulnerability from csaf_redhat
Published
2024-12-12 20:00
Modified
2025-04-10 00:17
Summary
Red Hat Security Advisory: HawtIO 4.1.0 for Red Hat build of Apache Camel 4 Release and security update.
Notes
Topic
HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.
The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.
* serve-static: Improper Sanitization in serve-static (CVE-2024-43800)
* send: Code Execution Vulnerability in Send Library (CVE-2024-43799)
* org.springframework/spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource (CVE-2024-38816)
* org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks (CVE-2024-8184)
* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)
* braces: fails to limit the number of characters it can handle (CVE-2024-4068)
* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)
* path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296)
* express: Improper Input Handling in Express Redirects (CVE-2024-43796)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.\n\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\nRed Hat Product Security has rated this update as having a security impact of\nImportant. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available.\n\nThe purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.\n\n* serve-static: Improper Sanitization in serve-static (CVE-2024-43800)\n\n* send: Code Execution Vulnerability in Send Library (CVE-2024-43799)\n\n* org.springframework/spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource (CVE-2024-38816)\n\n* org.eclipse.jetty/jetty-server: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks (CVE-2024-8184)\n\n* quarkus-core: Leak of local configuration properties into Quarkus applications (CVE-2024-2700)\n\n* braces: fails to limit the number of characters it can handle (CVE-2024-4068)\n\n* undertow: Improper State Management in Proxy Protocol parsing causes information leakage (CVE-2024-7885)\n\n* path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296)\n\n* express: Improper Input Handling in Express Redirects (CVE-2024-43796)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2024:11023", url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "2280600", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2280600", }, { category: "external", summary: "2305290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2305290", }, { category: "external", summary: "2310908", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2310908", }, { category: "external", summary: "2311152", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311152", }, { category: "external", summary: "2311153", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311153", }, { category: "external", summary: "2311154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311154", }, { category: "external", summary: "2312060", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312060", }, { category: "external", summary: "2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_11023.json", }, ], title: "Red Hat Security Advisory: HawtIO 4.1.0 for Red Hat build of Apache Camel 4 Release and security update.", tracking: { current_release_date: "2025-04-10T00:17:18+00:00", generator: { date: "2025-04-10T00:17:18+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2024:11023", initial_release_date: "2024-12-12T20:00:23+00:00", revision_history: [ { date: "2024-12-12T20:00:23+00:00", number: "1", summary: "Initial version", }, { date: "2024-12-12T20:00:23+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-10T00:17:18+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product: { name: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product_id: "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", product_identification_helper: { cpe: "cpe:/a:redhat:rhboac_hawtio:4.0.0", }, }, }, ], category: "product_family", name: "Red Hat Build of Apache Camel", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2024-2700", cwe: { id: "CWE-526", name: "Cleartext Storage of Sensitive Information in an Environment Variable", }, discovery_date: "2024-04-03T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2273281", }, ], notes: [ { category: "description", text: "A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.", title: "Vulnerability description", }, { category: "summary", text: "quarkus-core: Leak of local configuration properties into Quarkus applications", title: "Vulnerability summary", }, { category: "other", text: "Red Hat rates this as a Moderate impact vulnerability since this requires an attacker to have direct access to the environment variables to override, and the application must use that environment variable to be jeopardized.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-2700", }, { category: "external", summary: "RHBZ#2273281", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2273281", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-2700", url: "https://www.cve.org/CVERecord?id=CVE-2024-2700", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-2700", }, ], release_date: "2024-04-03T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Currently, no mitigation is available for this vulnerability. Please update as the patches become available.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "quarkus-core: Leak of local configuration properties into Quarkus applications", }, { cve: "CVE-2024-4068", cwe: { id: "CWE-1050", name: "Excessive Platform Resource Consumption within a Loop", }, discovery_date: "2024-05-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2280600", }, ], notes: [ { category: "description", text: "A flaw was found in the NPM package `braces.` It fails to limit the number of characters it can handle, which could lead to memory exhaustion. In `lib/parse.js,` if a malicious user sends \"imbalanced braces\" as input, the parsing will enter a loop, causing the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.", title: "Vulnerability description", }, { category: "summary", text: "braces: fails to limit the number of characters it can handle", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-4068", }, { category: "external", summary: "RHBZ#2280600", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2280600", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-4068", url: "https://www.cve.org/CVERecord?id=CVE-2024-4068", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-4068", }, { category: "external", summary: "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", url: "https://devhub.checkmarx.com/cve-details/CVE-2024-4068/", }, { category: "external", summary: "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", url: "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", }, { category: "external", summary: "https://github.com/micromatch/braces/issues/35", url: "https://github.com/micromatch/braces/issues/35", }, ], release_date: "2024-03-04T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "braces: fails to limit the number of characters it can handle", }, { acknowledgments: [ { names: [ "BfC", ], }, ], cve: "CVE-2024-7885", cwe: { id: "CWE-362", name: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", }, discovery_date: "2024-08-16T09:00:41.686000+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2305290", }, ], notes: [ { category: "description", text: "A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.", title: "Vulnerability description", }, { category: "summary", text: "undertow: Improper State Management in Proxy Protocol parsing causes information leakage", title: "Vulnerability summary", }, { category: "other", text: "Red Hat decided to rate this vulnerability as Important because of the potential loss of Availability and no additional privileges being required.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-7885", }, { category: "external", summary: "RHBZ#2305290", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2305290", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-7885", url: "https://www.cve.org/CVERecord?id=CVE-2024-7885", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-7885", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-7885", }, ], release_date: "2024-08-07T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "undertow: Improper State Management in Proxy Protocol parsing causes information leakage", }, { cve: "CVE-2024-8184", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2024-10-14T16:01:01.239238+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2318564", }, ], notes: [ { category: "description", text: "A flaw was found in Jetty's ThreadLimitHandler.getRemote(). This flaw allows unauthorized users to cause remote denial of service (DoS) attacks. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "Vulnerability description", }, { category: "summary", text: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", title: "Vulnerability summary", }, { category: "other", text: "This vulnerability is rated as moderate rather than important because it requires specific conditions to be met, including continuous, crafted requests that deliberately target memory allocation to exhaust resources. While it can cause a denial of service, it does not lead to direct compromise of sensitive data, unauthorized access, or code execution.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "RHBZ#2318564", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2318564", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-8184", url: "https://www.cve.org/CVERecord?id=CVE-2024-8184", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", }, { category: "external", summary: "https://github.com/jetty/jetty.project/pull/11723", url: "https://github.com/jetty/jetty.project/pull/11723", }, { category: "external", summary: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { category: "external", summary: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], release_date: "2024-10-14T15:09:37.861000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "org.eclipse.jetty:jetty-server: jetty: Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", }, { cve: "CVE-2024-38816", cwe: { id: "CWE-22", name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", }, discovery_date: "2024-09-13T06:20:08.422867+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2312060", }, ], notes: [ { category: "description", text: "A flaw was found in Spring applications using the WebMvc.fn or WebFlux.fn frameworks. This issue can allow attackers to perform path traversal attacks via crafted HTTP requests when the application serves static resources using RouterFunctions and explicitly configures resource handling with a FileSystemResource location.", title: "Vulnerability description", }, { category: "summary", text: "spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource", title: "Vulnerability summary", }, { category: "other", text: "Path traversal vulnerabilities in applications that serve static resources via RouterFunctions and FileSystemResource pose a important security risk, as they allow attackers to bypass access controls and retrieve arbitrary files from the server's filesystem. This type of attack can lead to unauthorized exposure of sensitive data, such as configuration files, environment variables, or authentication credentials. If exploited, it can further facilitate privilege escalation, lateral movement, or remote code execution within the system. Given the broad access it grants to the server's filesystem, the potential for system compromise makes path traversal vulnerabilities a high-severity issue.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-38816", }, { category: "external", summary: "RHBZ#2312060", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2312060", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-38816", url: "https://www.cve.org/CVERecord?id=CVE-2024-38816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-38816", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-38816", }, { category: "external", summary: "https://spring.io/security/cve-2024-38816", url: "https://spring.io/security/cve-2024-38816", }, ], release_date: "2024-09-13T06:15:11.190000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "spring-webmvc: Path Traversal Vulnerability in Spring Applications Using RouterFunctions and FileSystemResource", }, { cve: "CVE-2024-43796", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:28.106254+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311152", }, ], notes: [ { category: "description", text: "A flaw was found in Express. This vulnerability allows untrusted code execution via passing untrusted user input to response.redirect(), even if the input is sanitized.", title: "Vulnerability description", }, { category: "summary", text: "express: Improper Input Handling in Express Redirects", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43796", }, { category: "external", summary: "RHBZ#2311152", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311152", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43796", url: "https://www.cve.org/CVERecord?id=CVE-2024-43796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43796", }, { category: "external", summary: "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", url: "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", }, { category: "external", summary: "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", url: "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", }, ], release_date: "2024-09-10T15:15:17.510000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "express: Improper Input Handling in Express Redirects", }, { cve: "CVE-2024-43799", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:30.869487+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311153", }, ], notes: [ { category: "description", text: "A flaw was found in the Send library. This vulnerability allows remote code execution via untrusted input passed to the SendStream.redirect() function.", title: "Vulnerability description", }, { category: "summary", text: "send: Code Execution Vulnerability in Send Library", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43799", }, { category: "external", summary: "RHBZ#2311153", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311153", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43799", url: "https://www.cve.org/CVERecord?id=CVE-2024-43799", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43799", }, { category: "external", summary: "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", url: "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", }, { category: "external", summary: "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", url: "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", }, ], release_date: "2024-09-10T15:15:17.727000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "send: Code Execution Vulnerability in Send Library", }, { cve: "CVE-2024-43800", cwe: { id: "CWE-79", name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, discovery_date: "2024-09-10T15:30:33.631718+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2311154", }, ], notes: [ { category: "description", text: "A flaw was found in serve-static. This issue may allow the execution of untrusted code via passing sanitized yet untrusted user input to redirect().", title: "Vulnerability description", }, { category: "summary", text: "serve-static: Improper Sanitization in serve-static", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-43800", }, { category: "external", summary: "RHBZ#2311154", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2311154", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-43800", url: "https://www.cve.org/CVERecord?id=CVE-2024-43800", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-43800", }, { category: "external", summary: "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", url: "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", }, { category: "external", summary: "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", url: "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", }, { category: "external", summary: "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", url: "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", }, ], release_date: "2024-09-10T15:15:17.937000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "serve-static: Improper Sanitization in serve-static", }, { cve: "CVE-2024-45296", cwe: { id: "CWE-1333", name: "Inefficient Regular Expression Complexity", }, discovery_date: "2024-09-09T19:20:18.127723+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "2310908", }, ], notes: [ { category: "description", text: "A flaw was found in path-to-regexp package, where it turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single-threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a denial of service (DoS).", title: "Vulnerability description", }, { category: "summary", text: "path-to-regexp: Backtracking regular expressions cause ReDoS", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2024-45296", }, { category: "external", summary: "RHBZ#2310908", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2310908", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2024-45296", url: "https://www.cve.org/CVERecord?id=CVE-2024-45296", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", url: "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", url: "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", }, { category: "external", summary: "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", url: "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", }, ], release_date: "2024-09-09T19:15:13.330000+00:00", remediations: [ { category: "vendor_fix", date: "2024-12-12T20:00:23+00:00", details: "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "workaround", details: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", product_ids: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "HawtIO 4.0.0 for Red Hat build of Apache Camel 4", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "path-to-regexp: Backtracking regular expressions cause ReDoS", }, ], }
fkie_cve-2024-8184
Vulnerability from fkie_nvd
Published
2024-10-14 16:15
Modified
2024-11-08 21:00
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", matchCriteriaId: "38EE28A7-83A2-4D16-A1D7-197C1680C234", versionEndExcluding: "9.4.56", versionStartIncluding: "9.3.12", vulnerable: true, }, { criteria: "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", matchCriteriaId: "40B124FE-E76C-4612-8781-42CF3182E264", versionEndExcluding: "10.0.24", versionStartIncluding: "10.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", matchCriteriaId: "43B96569-B73B-4765-994F-809E5AE1A3CE", versionEndExcluding: "11.0.24", versionStartIncluding: "11.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", matchCriteriaId: "CDCB79ED-6D2F-4A37-BB89-41EABF18EAC1", versionEndExcluding: "12.0.9", versionStartIncluding: "12.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", }, { lang: "es", value: "Existe una vulnerabilidad de seguridad en ThreadLimitHandler.getRemote() de Jetty que puede ser explotada por usuarios no autorizados para provocar un ataque de denegación de servicio (DoS) remoto. Al enviar repetidamente solicitudes manipuladas, los atacantes pueden generar errores OutofMemory y agotar la memoria del servidor.", }, ], id: "CVE-2024-8184", lastModified: "2024-11-08T21:00:09.857", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "emo@eclipse.org", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-10-14T16:15:04.380", references: [ { source: "emo@eclipse.org", tags: [ "Patch", ], url: "https://github.com/jetty/jetty.project/pull/11723", }, { source: "emo@eclipse.org", tags: [ "Vendor Advisory", ], url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { source: "emo@eclipse.org", tags: [ "Vendor Advisory", ], url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], sourceIdentifier: "emo@eclipse.org", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "emo@eclipse.org", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-770", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
wid-sec-w-2024-3176
Vulnerability from csaf_certbund
Published
2024-10-14 22:00
Modified
2024-12-19 23:00
Summary
Eclipse Jetty: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Eclipse Jetty ist ein Java-HTTP-Server und Java-Servlet-Container.
Angriff
Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Eclipse Jetty ausnutzen, um einen Denial of Service Angriff zu erzeugen und Daten zu manipulieren.
Betroffene Betriebssysteme
- Sonstiges
- UNIX
- Windows
{ document: { aggregate_severity: { text: "mittel", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Eclipse Jetty ist ein Java-HTTP-Server und Java-Servlet-Container.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Eclipse Jetty ausnutzen, um einen Denial of Service Angriff zu erzeugen und Daten zu manipulieren.", title: "Angriff", }, { category: "general", text: "- Sonstiges\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-3176 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3176.json", }, { category: "self", summary: "WID-SEC-2024-3176 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3176", }, { category: "external", summary: "Jetty Advisory vom 2024-10-14", url: "https://www.eclipse.org//lists/jetty-announce/msg00193.html", }, { category: "external", summary: "Jetty Advisory vom 2024-10-14", url: "https://www.eclipse.org//lists/jetty-announce/msg00194.html", }, { category: "external", summary: "GitHub Advisory vom 2024-10-14", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh", }, { category: "external", summary: "SUSE Security Update SUSE-SU-2024:3720-1 vom 2024-10-18", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/O3QVMQNMY7KSISCQZHRID4KVIGDCRX47/", }, { category: "external", summary: "openSUSE Security Update OPENSUSE-SU-2024:14408-1 vom 2024-10-19", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/BNU3R7DW4USCKK4UHDLFZ57HXWYZNOCE/", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:9571 vom 2024-11-13", url: "https://access.redhat.com/errata/RHSA-2024:9571", }, { category: "external", summary: "IBM Security Bulletin 7176904 vom 2024-12-06", url: "https://www.ibm.com/support/pages/node/7176904", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2024:11023 vom 2024-12-12", url: "https://access.redhat.com/errata/RHSA-2024:11023", }, { category: "external", summary: "Amazon Linux Security Advisory ALAS-2024-2702 vom 2024-12-20", url: "https://alas.aws.amazon.com/AL2/ALAS-2024-2702.html", }, ], source_lang: "en-US", title: "Eclipse Jetty: Mehrere Schwachstellen", tracking: { current_release_date: "2024-12-19T23:00:00.000+00:00", generator: { date: "2024-12-20T09:13:42.053+00:00", engine: { name: "BSI-WID", version: "1.3.10", }, }, id: "WID-SEC-W-2024-3176", initial_release_date: "2024-10-14T22:00:00.000+00:00", revision_history: [ { date: "2024-10-14T22:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-10-17T22:00:00.000+00:00", number: "2", summary: "Neue Updates von SUSE aufgenommen", }, { date: "2024-10-20T22:00:00.000+00:00", number: "3", summary: "Neue Updates von openSUSE aufgenommen", }, { date: "2024-11-13T23:00:00.000+00:00", number: "4", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-12-05T23:00:00.000+00:00", number: "5", summary: "Neue Updates von IBM aufgenommen", }, { date: "2024-12-12T23:00:00.000+00:00", number: "6", summary: "Neue Updates von Red Hat aufgenommen", }, { date: "2024-12-19T23:00:00.000+00:00", number: "7", summary: "Neue Updates von Amazon aufgenommen", }, ], status: "final", version: "7", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Amazon Linux 2", product: { name: "Amazon Linux 2", product_id: "398363", product_identification_helper: { cpe: "cpe:/o:amazon:linux_2:-", }, }, }, ], category: "vendor", name: "Amazon", }, { branches: [ { branches: [ { category: "product_version_range", name: "<12.0.9", product: { name: "Eclipse Jetty <12.0.9", product_id: "T038318", }, }, { category: "product_version", name: "12.0.9", product: { name: "Eclipse Jetty 12.0.9", product_id: "T038318-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:12.0.9", }, }, }, { category: "product_version_range", name: "<10.0.24", product: { name: "Eclipse Jetty <10.0.24", product_id: "T038319", }, }, { category: "product_version", name: "10.0.24", product: { name: "Eclipse Jetty 10.0.24", product_id: "T038319-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:10.0.24", }, }, }, { category: "product_version_range", name: "<11.0.24", product: { name: "Eclipse Jetty <11.0.24", product_id: "T038320", }, }, { category: "product_version", name: "11.0.24", product: { name: "Eclipse Jetty 11.0.24", product_id: "T038320-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:11.0.24", }, }, }, { category: "product_version_range", name: "<9.4.56", product: { name: "Eclipse Jetty <9.4.56", product_id: "T038321", }, }, { category: "product_version", name: "9.4.56", product: { name: "Eclipse Jetty 9.4.56", product_id: "T038321-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:9.4.56", }, }, }, { category: "product_version_range", name: "<12.0.3", product: { name: "Eclipse Jetty <12.0.3", product_id: "T038322", }, }, { category: "product_version", name: "12.0.3", product: { name: "Eclipse Jetty 12.0.3", product_id: "T038322-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:12.0.3", }, }, }, { category: "product_version_range", name: "<9.4.54", product: { name: "Eclipse Jetty <9.4.54", product_id: "T038323", }, }, { category: "product_version", name: "9.4.54", product: { name: "Eclipse Jetty 9.4.54", product_id: "T038323-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:9.4.54", }, }, }, { category: "product_version_range", name: "<10.0.18", product: { name: "Eclipse Jetty <10.0.18", product_id: "T038324", }, }, { category: "product_version", name: "10.0.18", product: { name: "Eclipse Jetty 10.0.18", product_id: "T038324-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:10.0.18", }, }, }, { category: "product_version_range", name: "<11.0.18", product: { name: "Eclipse Jetty <11.0.18", product_id: "T038325", }, }, { category: "product_version", name: "11.0.18", product: { name: "Eclipse Jetty 11.0.18", product_id: "T038325-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:11.0.18", }, }, }, { category: "product_version_range", name: "<12.0.4", product: { name: "Eclipse Jetty <12.0.4", product_id: "T038326", }, }, { category: "product_version", name: "12.0.4", product: { name: "Eclipse Jetty 12.0.4", product_id: "T038326-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:12.0.4", }, }, }, { category: "product_version_range", name: "<12.0.12", product: { name: "Eclipse Jetty <12.0.12", product_id: "T038327", }, }, { category: "product_version", name: "12.0.12", product: { name: "Eclipse Jetty 12.0.12", product_id: "T038327-fixed", product_identification_helper: { cpe: "cpe:/a:eclipse:jetty:12.0.12", }, }, }, ], category: "product_name", name: "Jetty", }, ], category: "vendor", name: "Eclipse", }, { branches: [ { branches: [ { category: "product_version", name: "11.7", product: { name: "IBM InfoSphere Information Server 11.7", product_id: "444803", product_identification_helper: { cpe: "cpe:/a:ibm:infosphere_information_server:11.7", }, }, }, ], category: "product_name", name: "InfoSphere Information Server", }, ], category: "vendor", name: "IBM", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, { branches: [ { category: "product_name", name: "SUSE Linux", product: { name: "SUSE Linux", product_id: "T002207", product_identification_helper: { cpe: "cpe:/o:suse:suse_linux:-", }, }, }, { category: "product_name", name: "SUSE openSUSE", product: { name: "SUSE openSUSE", product_id: "T027843", product_identification_helper: { cpe: "cpe:/o:suse:opensuse:-", }, }, }, ], category: "vendor", name: "SUSE", }, ], }, vulnerabilities: [ { cve: "CVE-2024-6762", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Eclipse Jetty. Diese Schwachstelle betrifft den Jetty PushSessionCacheFilter und ermöglicht eine Speichererschöpfung. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen.", }, ], product_status: { known_affected: [ "T002207", "67646", "444803", "T027843", "T038324", "T038325", "398363", "T038326", "T038322", ], }, release_date: "2024-10-14T22:00:00.000+00:00", title: "CVE-2024-6762", }, { cve: "CVE-2024-6763", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Eclipse Jetty. Dieser Fehler besteht in der HttpURI-Klasse, wenn sie als Dienstprogrammklasse in einer Anwendung verwendet wird, da das Autoritätssegment eines URIs nicht ausreichend validiert wird, wodurch Open-Redirect- oder Server-Side-Request- Forgery-Angriffe möglich sind. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen bösartigen URI zu erstellen, der das Verhalten des Servers manipulieren kann.", }, ], product_status: { known_affected: [ "T002207", "67646", "T038318", "444803", "T027843", "398363", "T038326", "T038327", "T038322", ], }, release_date: "2024-10-14T22:00:00.000+00:00", title: "CVE-2024-6763", }, { cve: "CVE-2024-8184", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Eclipse Jetty. Diese Schwachstelle betrifft die Funktion Jetty ThreadLimitHandler.getRemote aufgrund einer unsachgemäßen Handhabung der Ressourcenverwaltung, die zu einem Out-of-Memory-Fehler führen kann. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, indem er zahlreiche bösartige Anfragen sendet.", }, ], product_status: { known_affected: [ "67646", "T038318", "T038319", "T038324", "T038325", "T038326", "T038320", "T038321", "T038322", "T038323", "T002207", "444803", "T027843", "398363", ], }, release_date: "2024-10-14T22:00:00.000+00:00", title: "CVE-2024-8184", }, { cve: "CVE-2024-9823", notes: [ { category: "description", text: "Es besteht eine Schwachstelle in Eclipse Jetty. Dieser Fehler betrifft den DoSFilter aufgrund einer unsachgemäßen internen Anforderungsverfolgung, die eine Auslastung des Speichers ermöglicht. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu erzeugen, indem er manipulierte Anfragen sendet.", }, ], product_status: { known_affected: [ "T002207", "67646", "444803", "T027843", "T038324", "T038325", "398363", "T038322", "T038323", ], }, release_date: "2024-10-14T22:00:00.000+00:00", title: "CVE-2024-9823", }, ], }
ghsa-g8m5-722r-8whq
Vulnerability from github
Published
2024-10-14 21:08
Modified
2024-10-14 21:08
Severity ?
Summary
Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks
Details
Impact
Remote DOS attack can cause out of memory
Description
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which
can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By
repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the
server's memory.
Affected Versions
- Jetty 12.0.0-12.0.8 (Supported)
- Jetty 11.0.0-11.0.23 (EOL)
- Jetty 10.0.0-10.0.23 (EOL)
- Jetty 9.3.12-9.4.55 (EOL)
Patched Versions
- Jetty 12.0.9
- Jetty 11.0.24
- Jetty 10.0.24
- Jetty 9.4.56
Workarounds
Do not use ThreadLimitHandler.
Consider use of QoSHandler instead to artificially limit resource utilization.
References
Jetty 12 - https://github.com/jetty/jetty.project/pull/11723
{ affected: [ { database_specific: { last_known_affected_version_range: "<= 12.0.8", }, package: { ecosystem: "Maven", name: "org.eclipse.jetty:jetty-server", }, ranges: [ { events: [ { introduced: "12.0.0", }, { fixed: "12.0.9", }, ], type: "ECOSYSTEM", }, ], }, { database_specific: { last_known_affected_version_range: "<= 10.0.23", }, package: { ecosystem: "Maven", name: "org.eclipse.jetty:jetty-server", }, ranges: [ { events: [ { introduced: "10.0.0", }, { fixed: "10.0.24", }, ], type: "ECOSYSTEM", }, ], }, { database_specific: { last_known_affected_version_range: "<= 11.0.23", }, package: { ecosystem: "Maven", name: "org.eclipse.jetty:jetty-server", }, ranges: [ { events: [ { introduced: "11.0.0", }, { fixed: "11.0.24", }, ], type: "ECOSYSTEM", }, ], }, { database_specific: { last_known_affected_version_range: "<= 9.4.55", }, package: { ecosystem: "Maven", name: "org.eclipse.jetty:jetty-server", }, ranges: [ { events: [ { introduced: "9.3.12", }, { fixed: "9.4.56", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2024-8184", ], database_specific: { cwe_ids: [ "CWE-400", "CWE-770", ], github_reviewed: true, github_reviewed_at: "2024-10-14T21:08:38Z", nvd_published_at: "2024-10-14T16:15:04Z", severity: "MODERATE", }, details: "### Impact\nRemote DOS attack can cause out of memory \n\n### Description\nThere exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which\ncan be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By\nrepeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the\nserver's memory.\n\n### Affected Versions\n\n* Jetty 12.0.0-12.0.8 (Supported)\n* Jetty 11.0.0-11.0.23 (EOL)\n* Jetty 10.0.0-10.0.23 (EOL)\n* Jetty 9.3.12-9.4.55 (EOL)\n\n### Patched Versions\n\n* Jetty 12.0.9\n* Jetty 11.0.24\n* Jetty 10.0.24\n* Jetty 9.4.56\n\n### Workarounds\n\nDo not use `ThreadLimitHandler`. \nConsider use of `QoSHandler` instead to artificially limit resource utilization.\n\n### References\n\nJetty 12 - https://github.com/jetty/jetty.project/pull/11723", id: "GHSA-g8m5-722r-8whq", modified: "2024-10-14T21:08:39Z", published: "2024-10-14T21:08:38Z", references: [ { type: "WEB", url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2024-8184", }, { type: "WEB", url: "https://github.com/jetty/jetty.project/pull/11723", }, { type: "PACKAGE", url: "https://github.com/jetty/jetty.project", }, { type: "WEB", url: "https://gitlab.eclipse.org/security/cve-assignement/-/issues/30", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", type: "CVSS_V3", }, ], summary: "Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks", }
opensuse-su-2024:14408-1
Vulnerability from csaf_opensuse
Published
2024-10-17 00:00
Modified
2024-10-17 00:00
Summary
jetty-annotations-9.4.56-2.1 on GA media
Notes
Title of the patch
jetty-annotations-9.4.56-2.1 on GA media
Description of the patch
These are all security issues fixed in the jetty-annotations-9.4.56-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14408
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "jetty-annotations-9.4.56-2.1 on GA media", title: "Title of the patch", }, { category: "description", text: "These are all security issues fixed in the jetty-annotations-9.4.56-2.1 package on the GA media of openSUSE Tumbleweed.", title: "Description of the patch", }, { category: "details", text: "openSUSE-Tumbleweed-2024-14408", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14408-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2024:14408-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BNU3R7DW4USCKK4UHDLFZ57HXWYZNOCE/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2024:14408-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BNU3R7DW4USCKK4UHDLFZ57HXWYZNOCE/", }, { category: "self", summary: "SUSE CVE CVE-2024-8184 page", url: "https://www.suse.com/security/cve/CVE-2024-8184/", }, ], title: "jetty-annotations-9.4.56-2.1 on GA media", tracking: { current_release_date: "2024-10-17T00:00:00Z", generator: { date: "2024-10-17T00:00:00Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2024:14408-1", initial_release_date: "2024-10-17T00:00:00Z", revision_history: [ { date: "2024-10-17T00:00:00Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "jetty-annotations-9.4.56-2.1.aarch64", product: { name: "jetty-annotations-9.4.56-2.1.aarch64", product_id: "jetty-annotations-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-ant-9.4.56-2.1.aarch64", product: { name: "jetty-ant-9.4.56-2.1.aarch64", product_id: "jetty-ant-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-cdi-9.4.56-2.1.aarch64", product: { name: "jetty-cdi-9.4.56-2.1.aarch64", product_id: "jetty-cdi-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-client-9.4.56-2.1.aarch64", product: { name: "jetty-client-9.4.56-2.1.aarch64", product_id: "jetty-client-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-continuation-9.4.56-2.1.aarch64", product: { name: "jetty-continuation-9.4.56-2.1.aarch64", product_id: "jetty-continuation-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-deploy-9.4.56-2.1.aarch64", product: { name: "jetty-deploy-9.4.56-2.1.aarch64", product_id: "jetty-deploy-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-fcgi-9.4.56-2.1.aarch64", product: { name: "jetty-fcgi-9.4.56-2.1.aarch64", product_id: "jetty-fcgi-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-http-9.4.56-2.1.aarch64", product: { name: "jetty-http-9.4.56-2.1.aarch64", product_id: "jetty-http-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-http-spi-9.4.56-2.1.aarch64", product: { name: "jetty-http-spi-9.4.56-2.1.aarch64", product_id: "jetty-http-spi-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-io-9.4.56-2.1.aarch64", product: { name: "jetty-io-9.4.56-2.1.aarch64", product_id: "jetty-io-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-jaas-9.4.56-2.1.aarch64", product: { name: "jetty-jaas-9.4.56-2.1.aarch64", product_id: "jetty-jaas-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-jmx-9.4.56-2.1.aarch64", product: { name: "jetty-jmx-9.4.56-2.1.aarch64", product_id: "jetty-jmx-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-jndi-9.4.56-2.1.aarch64", product: { name: "jetty-jndi-9.4.56-2.1.aarch64", product_id: "jetty-jndi-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-jsp-9.4.56-2.1.aarch64", product: { name: "jetty-jsp-9.4.56-2.1.aarch64", product_id: "jetty-jsp-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-minimal-javadoc-9.4.56-2.1.aarch64", product: { name: "jetty-minimal-javadoc-9.4.56-2.1.aarch64", product_id: "jetty-minimal-javadoc-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-openid-9.4.56-2.1.aarch64", product: { name: "jetty-openid-9.4.56-2.1.aarch64", product_id: "jetty-openid-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-plus-9.4.56-2.1.aarch64", product: { name: "jetty-plus-9.4.56-2.1.aarch64", product_id: "jetty-plus-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-proxy-9.4.56-2.1.aarch64", product: { name: "jetty-proxy-9.4.56-2.1.aarch64", product_id: "jetty-proxy-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-quickstart-9.4.56-2.1.aarch64", product: { name: "jetty-quickstart-9.4.56-2.1.aarch64", product_id: "jetty-quickstart-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-rewrite-9.4.56-2.1.aarch64", product: { name: "jetty-rewrite-9.4.56-2.1.aarch64", product_id: "jetty-rewrite-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-security-9.4.56-2.1.aarch64", product: { name: "jetty-security-9.4.56-2.1.aarch64", product_id: "jetty-security-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-server-9.4.56-2.1.aarch64", product: { name: "jetty-server-9.4.56-2.1.aarch64", product_id: "jetty-server-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-servlet-9.4.56-2.1.aarch64", product: { name: "jetty-servlet-9.4.56-2.1.aarch64", product_id: "jetty-servlet-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-servlets-9.4.56-2.1.aarch64", product: { name: "jetty-servlets-9.4.56-2.1.aarch64", product_id: "jetty-servlets-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-start-9.4.56-2.1.aarch64", product: { name: "jetty-start-9.4.56-2.1.aarch64", product_id: "jetty-start-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-util-9.4.56-2.1.aarch64", product: { name: "jetty-util-9.4.56-2.1.aarch64", product_id: "jetty-util-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-util-ajax-9.4.56-2.1.aarch64", product: { name: "jetty-util-ajax-9.4.56-2.1.aarch64", product_id: "jetty-util-ajax-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-webapp-9.4.56-2.1.aarch64", product: { name: "jetty-webapp-9.4.56-2.1.aarch64", product_id: "jetty-webapp-9.4.56-2.1.aarch64", }, }, { category: "product_version", name: "jetty-xml-9.4.56-2.1.aarch64", product: { name: "jetty-xml-9.4.56-2.1.aarch64", product_id: "jetty-xml-9.4.56-2.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "jetty-annotations-9.4.56-2.1.ppc64le", product: { name: "jetty-annotations-9.4.56-2.1.ppc64le", product_id: "jetty-annotations-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-ant-9.4.56-2.1.ppc64le", product: { name: "jetty-ant-9.4.56-2.1.ppc64le", product_id: "jetty-ant-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-cdi-9.4.56-2.1.ppc64le", product: { name: "jetty-cdi-9.4.56-2.1.ppc64le", product_id: "jetty-cdi-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-client-9.4.56-2.1.ppc64le", product: { name: "jetty-client-9.4.56-2.1.ppc64le", product_id: "jetty-client-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-continuation-9.4.56-2.1.ppc64le", product: { name: "jetty-continuation-9.4.56-2.1.ppc64le", product_id: "jetty-continuation-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-deploy-9.4.56-2.1.ppc64le", product: { name: "jetty-deploy-9.4.56-2.1.ppc64le", product_id: "jetty-deploy-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-fcgi-9.4.56-2.1.ppc64le", product: { name: "jetty-fcgi-9.4.56-2.1.ppc64le", product_id: "jetty-fcgi-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-http-9.4.56-2.1.ppc64le", product: { name: "jetty-http-9.4.56-2.1.ppc64le", product_id: "jetty-http-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-http-spi-9.4.56-2.1.ppc64le", product: { name: "jetty-http-spi-9.4.56-2.1.ppc64le", product_id: "jetty-http-spi-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-io-9.4.56-2.1.ppc64le", product: { name: "jetty-io-9.4.56-2.1.ppc64le", product_id: "jetty-io-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-jaas-9.4.56-2.1.ppc64le", product: { name: "jetty-jaas-9.4.56-2.1.ppc64le", product_id: "jetty-jaas-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-jmx-9.4.56-2.1.ppc64le", product: { name: "jetty-jmx-9.4.56-2.1.ppc64le", product_id: "jetty-jmx-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-jndi-9.4.56-2.1.ppc64le", product: { name: "jetty-jndi-9.4.56-2.1.ppc64le", product_id: "jetty-jndi-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-jsp-9.4.56-2.1.ppc64le", product: { name: "jetty-jsp-9.4.56-2.1.ppc64le", product_id: "jetty-jsp-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-minimal-javadoc-9.4.56-2.1.ppc64le", product: { name: "jetty-minimal-javadoc-9.4.56-2.1.ppc64le", product_id: "jetty-minimal-javadoc-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-openid-9.4.56-2.1.ppc64le", product: { name: "jetty-openid-9.4.56-2.1.ppc64le", product_id: "jetty-openid-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-plus-9.4.56-2.1.ppc64le", product: { name: "jetty-plus-9.4.56-2.1.ppc64le", product_id: "jetty-plus-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-proxy-9.4.56-2.1.ppc64le", product: { name: "jetty-proxy-9.4.56-2.1.ppc64le", product_id: "jetty-proxy-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-quickstart-9.4.56-2.1.ppc64le", product: { name: "jetty-quickstart-9.4.56-2.1.ppc64le", product_id: "jetty-quickstart-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-rewrite-9.4.56-2.1.ppc64le", product: { name: "jetty-rewrite-9.4.56-2.1.ppc64le", product_id: "jetty-rewrite-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-security-9.4.56-2.1.ppc64le", product: { name: "jetty-security-9.4.56-2.1.ppc64le", product_id: "jetty-security-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-server-9.4.56-2.1.ppc64le", product: { name: "jetty-server-9.4.56-2.1.ppc64le", product_id: "jetty-server-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-servlet-9.4.56-2.1.ppc64le", product: { name: "jetty-servlet-9.4.56-2.1.ppc64le", product_id: "jetty-servlet-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-servlets-9.4.56-2.1.ppc64le", product: { name: "jetty-servlets-9.4.56-2.1.ppc64le", product_id: "jetty-servlets-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-start-9.4.56-2.1.ppc64le", product: { name: "jetty-start-9.4.56-2.1.ppc64le", product_id: "jetty-start-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-util-9.4.56-2.1.ppc64le", product: { name: "jetty-util-9.4.56-2.1.ppc64le", product_id: "jetty-util-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-util-ajax-9.4.56-2.1.ppc64le", product: { name: "jetty-util-ajax-9.4.56-2.1.ppc64le", product_id: "jetty-util-ajax-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-webapp-9.4.56-2.1.ppc64le", product: { name: "jetty-webapp-9.4.56-2.1.ppc64le", product_id: "jetty-webapp-9.4.56-2.1.ppc64le", }, }, { category: "product_version", name: "jetty-xml-9.4.56-2.1.ppc64le", product: { name: "jetty-xml-9.4.56-2.1.ppc64le", product_id: "jetty-xml-9.4.56-2.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "jetty-annotations-9.4.56-2.1.s390x", product: { name: "jetty-annotations-9.4.56-2.1.s390x", product_id: "jetty-annotations-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-ant-9.4.56-2.1.s390x", product: { name: "jetty-ant-9.4.56-2.1.s390x", product_id: "jetty-ant-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-cdi-9.4.56-2.1.s390x", product: { name: "jetty-cdi-9.4.56-2.1.s390x", product_id: "jetty-cdi-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-client-9.4.56-2.1.s390x", product: { name: "jetty-client-9.4.56-2.1.s390x", product_id: "jetty-client-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-continuation-9.4.56-2.1.s390x", product: { name: "jetty-continuation-9.4.56-2.1.s390x", product_id: "jetty-continuation-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-deploy-9.4.56-2.1.s390x", product: { name: "jetty-deploy-9.4.56-2.1.s390x", product_id: "jetty-deploy-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-fcgi-9.4.56-2.1.s390x", product: { name: "jetty-fcgi-9.4.56-2.1.s390x", product_id: "jetty-fcgi-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-http-9.4.56-2.1.s390x", product: { name: "jetty-http-9.4.56-2.1.s390x", product_id: "jetty-http-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-http-spi-9.4.56-2.1.s390x", product: { name: "jetty-http-spi-9.4.56-2.1.s390x", product_id: "jetty-http-spi-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-io-9.4.56-2.1.s390x", product: { name: "jetty-io-9.4.56-2.1.s390x", product_id: "jetty-io-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-jaas-9.4.56-2.1.s390x", product: { name: "jetty-jaas-9.4.56-2.1.s390x", product_id: "jetty-jaas-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-jmx-9.4.56-2.1.s390x", product: { name: "jetty-jmx-9.4.56-2.1.s390x", product_id: "jetty-jmx-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-jndi-9.4.56-2.1.s390x", product: { name: "jetty-jndi-9.4.56-2.1.s390x", product_id: "jetty-jndi-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-jsp-9.4.56-2.1.s390x", product: { name: "jetty-jsp-9.4.56-2.1.s390x", product_id: "jetty-jsp-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-minimal-javadoc-9.4.56-2.1.s390x", product: { name: "jetty-minimal-javadoc-9.4.56-2.1.s390x", product_id: "jetty-minimal-javadoc-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-openid-9.4.56-2.1.s390x", product: { name: "jetty-openid-9.4.56-2.1.s390x", product_id: "jetty-openid-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-plus-9.4.56-2.1.s390x", product: { name: "jetty-plus-9.4.56-2.1.s390x", product_id: "jetty-plus-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-proxy-9.4.56-2.1.s390x", product: { name: "jetty-proxy-9.4.56-2.1.s390x", product_id: "jetty-proxy-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-quickstart-9.4.56-2.1.s390x", product: { name: "jetty-quickstart-9.4.56-2.1.s390x", product_id: "jetty-quickstart-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-rewrite-9.4.56-2.1.s390x", product: { name: "jetty-rewrite-9.4.56-2.1.s390x", product_id: "jetty-rewrite-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-security-9.4.56-2.1.s390x", product: { name: "jetty-security-9.4.56-2.1.s390x", product_id: "jetty-security-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-server-9.4.56-2.1.s390x", product: { name: "jetty-server-9.4.56-2.1.s390x", product_id: "jetty-server-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-servlet-9.4.56-2.1.s390x", product: { name: "jetty-servlet-9.4.56-2.1.s390x", product_id: "jetty-servlet-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-servlets-9.4.56-2.1.s390x", product: { name: "jetty-servlets-9.4.56-2.1.s390x", product_id: "jetty-servlets-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-start-9.4.56-2.1.s390x", product: { name: "jetty-start-9.4.56-2.1.s390x", product_id: "jetty-start-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-util-9.4.56-2.1.s390x", product: { name: "jetty-util-9.4.56-2.1.s390x", product_id: "jetty-util-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-util-ajax-9.4.56-2.1.s390x", product: { name: "jetty-util-ajax-9.4.56-2.1.s390x", product_id: "jetty-util-ajax-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-webapp-9.4.56-2.1.s390x", product: { name: "jetty-webapp-9.4.56-2.1.s390x", product_id: "jetty-webapp-9.4.56-2.1.s390x", }, }, { category: "product_version", name: "jetty-xml-9.4.56-2.1.s390x", product: { name: "jetty-xml-9.4.56-2.1.s390x", product_id: "jetty-xml-9.4.56-2.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "jetty-annotations-9.4.56-2.1.x86_64", product: { name: "jetty-annotations-9.4.56-2.1.x86_64", product_id: "jetty-annotations-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-ant-9.4.56-2.1.x86_64", product: { name: "jetty-ant-9.4.56-2.1.x86_64", product_id: "jetty-ant-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-cdi-9.4.56-2.1.x86_64", product: { name: "jetty-cdi-9.4.56-2.1.x86_64", product_id: "jetty-cdi-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-client-9.4.56-2.1.x86_64", product: { name: "jetty-client-9.4.56-2.1.x86_64", product_id: "jetty-client-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-continuation-9.4.56-2.1.x86_64", product: { name: "jetty-continuation-9.4.56-2.1.x86_64", product_id: "jetty-continuation-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-deploy-9.4.56-2.1.x86_64", product: { name: "jetty-deploy-9.4.56-2.1.x86_64", product_id: "jetty-deploy-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-fcgi-9.4.56-2.1.x86_64", product: { name: "jetty-fcgi-9.4.56-2.1.x86_64", product_id: "jetty-fcgi-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-http-9.4.56-2.1.x86_64", product: { name: "jetty-http-9.4.56-2.1.x86_64", product_id: "jetty-http-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-http-spi-9.4.56-2.1.x86_64", product: { name: "jetty-http-spi-9.4.56-2.1.x86_64", product_id: "jetty-http-spi-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-io-9.4.56-2.1.x86_64", product: { name: "jetty-io-9.4.56-2.1.x86_64", product_id: "jetty-io-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-jaas-9.4.56-2.1.x86_64", product: { name: "jetty-jaas-9.4.56-2.1.x86_64", product_id: "jetty-jaas-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-jmx-9.4.56-2.1.x86_64", product: { name: "jetty-jmx-9.4.56-2.1.x86_64", product_id: "jetty-jmx-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-jndi-9.4.56-2.1.x86_64", product: { name: "jetty-jndi-9.4.56-2.1.x86_64", product_id: "jetty-jndi-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-jsp-9.4.56-2.1.x86_64", product: { name: "jetty-jsp-9.4.56-2.1.x86_64", product_id: "jetty-jsp-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-minimal-javadoc-9.4.56-2.1.x86_64", product: { name: "jetty-minimal-javadoc-9.4.56-2.1.x86_64", product_id: "jetty-minimal-javadoc-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-openid-9.4.56-2.1.x86_64", product: { name: "jetty-openid-9.4.56-2.1.x86_64", product_id: "jetty-openid-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-plus-9.4.56-2.1.x86_64", product: { name: "jetty-plus-9.4.56-2.1.x86_64", product_id: "jetty-plus-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-proxy-9.4.56-2.1.x86_64", product: { name: "jetty-proxy-9.4.56-2.1.x86_64", product_id: "jetty-proxy-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-quickstart-9.4.56-2.1.x86_64", product: { name: "jetty-quickstart-9.4.56-2.1.x86_64", product_id: "jetty-quickstart-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-rewrite-9.4.56-2.1.x86_64", product: { name: "jetty-rewrite-9.4.56-2.1.x86_64", product_id: "jetty-rewrite-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-security-9.4.56-2.1.x86_64", product: { name: "jetty-security-9.4.56-2.1.x86_64", product_id: "jetty-security-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-server-9.4.56-2.1.x86_64", product: { name: "jetty-server-9.4.56-2.1.x86_64", product_id: "jetty-server-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-servlet-9.4.56-2.1.x86_64", product: { name: "jetty-servlet-9.4.56-2.1.x86_64", product_id: "jetty-servlet-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-servlets-9.4.56-2.1.x86_64", product: { name: "jetty-servlets-9.4.56-2.1.x86_64", product_id: "jetty-servlets-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-start-9.4.56-2.1.x86_64", product: { name: "jetty-start-9.4.56-2.1.x86_64", product_id: "jetty-start-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-util-9.4.56-2.1.x86_64", product: { name: "jetty-util-9.4.56-2.1.x86_64", product_id: "jetty-util-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-util-ajax-9.4.56-2.1.x86_64", product: { name: "jetty-util-ajax-9.4.56-2.1.x86_64", product_id: "jetty-util-ajax-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-webapp-9.4.56-2.1.x86_64", product: { name: "jetty-webapp-9.4.56-2.1.x86_64", product_id: "jetty-webapp-9.4.56-2.1.x86_64", }, }, { category: "product_version", name: "jetty-xml-9.4.56-2.1.x86_64", product: { name: "jetty-xml-9.4.56-2.1.x86_64", product_id: "jetty-xml-9.4.56-2.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "openSUSE Tumbleweed", product: { name: "openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed", product_identification_helper: { cpe: "cpe:/o:opensuse:tumbleweed", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "jetty-annotations-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.aarch64", }, product_reference: "jetty-annotations-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-annotations-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.ppc64le", }, product_reference: "jetty-annotations-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-annotations-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.s390x", }, product_reference: "jetty-annotations-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-annotations-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.x86_64", }, product_reference: "jetty-annotations-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-ant-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.aarch64", }, product_reference: "jetty-ant-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-ant-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.ppc64le", }, product_reference: "jetty-ant-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-ant-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.s390x", }, product_reference: "jetty-ant-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-ant-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.x86_64", }, product_reference: "jetty-ant-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-cdi-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.aarch64", }, product_reference: "jetty-cdi-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-cdi-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.ppc64le", }, product_reference: "jetty-cdi-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-cdi-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.s390x", }, product_reference: "jetty-cdi-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-cdi-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.x86_64", }, product_reference: "jetty-cdi-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-client-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.aarch64", }, product_reference: "jetty-client-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-client-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.ppc64le", }, product_reference: "jetty-client-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-client-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.s390x", }, product_reference: "jetty-client-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-client-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.x86_64", }, product_reference: "jetty-client-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-continuation-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.aarch64", }, product_reference: "jetty-continuation-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-continuation-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.ppc64le", }, product_reference: "jetty-continuation-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-continuation-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.s390x", }, product_reference: "jetty-continuation-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-continuation-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.x86_64", }, product_reference: "jetty-continuation-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-deploy-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.aarch64", }, product_reference: "jetty-deploy-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-deploy-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.ppc64le", }, product_reference: "jetty-deploy-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-deploy-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.s390x", }, product_reference: "jetty-deploy-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-deploy-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.x86_64", }, product_reference: "jetty-deploy-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-fcgi-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.aarch64", }, product_reference: "jetty-fcgi-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-fcgi-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.ppc64le", }, product_reference: "jetty-fcgi-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-fcgi-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.s390x", }, product_reference: "jetty-fcgi-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-fcgi-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.x86_64", }, product_reference: "jetty-fcgi-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-http-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.aarch64", }, product_reference: "jetty-http-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-http-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.ppc64le", }, product_reference: "jetty-http-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-http-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.s390x", }, product_reference: "jetty-http-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-http-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.x86_64", }, product_reference: "jetty-http-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-http-spi-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.aarch64", }, product_reference: "jetty-http-spi-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-http-spi-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.ppc64le", }, product_reference: "jetty-http-spi-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-http-spi-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.s390x", }, product_reference: "jetty-http-spi-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-http-spi-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.x86_64", }, product_reference: "jetty-http-spi-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-io-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.aarch64", }, product_reference: "jetty-io-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-io-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.ppc64le", }, product_reference: "jetty-io-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-io-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.s390x", }, product_reference: "jetty-io-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-io-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.x86_64", }, product_reference: "jetty-io-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jaas-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.aarch64", }, product_reference: "jetty-jaas-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jaas-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.ppc64le", }, product_reference: "jetty-jaas-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jaas-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.s390x", }, product_reference: "jetty-jaas-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jaas-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.x86_64", }, product_reference: "jetty-jaas-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jmx-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.aarch64", }, product_reference: "jetty-jmx-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jmx-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.ppc64le", }, product_reference: "jetty-jmx-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jmx-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.s390x", }, product_reference: "jetty-jmx-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jmx-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.x86_64", }, product_reference: "jetty-jmx-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jndi-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.aarch64", }, product_reference: "jetty-jndi-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jndi-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.ppc64le", }, product_reference: "jetty-jndi-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jndi-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.s390x", }, product_reference: "jetty-jndi-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jndi-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.x86_64", }, product_reference: "jetty-jndi-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jsp-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.aarch64", }, product_reference: "jetty-jsp-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jsp-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.ppc64le", }, product_reference: "jetty-jsp-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jsp-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.s390x", }, product_reference: "jetty-jsp-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-jsp-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.x86_64", }, product_reference: "jetty-jsp-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-minimal-javadoc-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.aarch64", }, product_reference: "jetty-minimal-javadoc-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-minimal-javadoc-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.ppc64le", }, product_reference: "jetty-minimal-javadoc-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-minimal-javadoc-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.s390x", }, product_reference: "jetty-minimal-javadoc-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-minimal-javadoc-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.x86_64", }, product_reference: "jetty-minimal-javadoc-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-openid-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.aarch64", }, product_reference: "jetty-openid-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-openid-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.ppc64le", }, product_reference: "jetty-openid-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-openid-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.s390x", }, product_reference: "jetty-openid-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-openid-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.x86_64", }, product_reference: "jetty-openid-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-plus-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.aarch64", }, product_reference: "jetty-plus-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-plus-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.ppc64le", }, product_reference: "jetty-plus-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-plus-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.s390x", }, product_reference: "jetty-plus-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-plus-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.x86_64", }, product_reference: "jetty-plus-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-proxy-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.aarch64", }, product_reference: "jetty-proxy-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-proxy-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.ppc64le", }, product_reference: "jetty-proxy-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-proxy-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.s390x", }, product_reference: "jetty-proxy-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-proxy-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.x86_64", }, product_reference: "jetty-proxy-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-quickstart-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.aarch64", }, product_reference: "jetty-quickstart-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-quickstart-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.ppc64le", }, product_reference: "jetty-quickstart-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-quickstart-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.s390x", }, product_reference: "jetty-quickstart-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-quickstart-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.x86_64", }, product_reference: "jetty-quickstart-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-rewrite-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.aarch64", }, product_reference: "jetty-rewrite-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-rewrite-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.ppc64le", }, product_reference: "jetty-rewrite-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-rewrite-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.s390x", }, product_reference: "jetty-rewrite-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-rewrite-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.x86_64", }, product_reference: "jetty-rewrite-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-security-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.aarch64", }, product_reference: "jetty-security-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-security-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.ppc64le", }, product_reference: "jetty-security-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-security-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.s390x", }, product_reference: "jetty-security-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-security-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.x86_64", }, product_reference: "jetty-security-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-server-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.aarch64", }, product_reference: "jetty-server-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-server-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.ppc64le", }, product_reference: "jetty-server-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-server-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.s390x", }, product_reference: "jetty-server-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-server-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.x86_64", }, product_reference: "jetty-server-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-servlet-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.aarch64", }, product_reference: "jetty-servlet-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-servlet-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.ppc64le", }, product_reference: "jetty-servlet-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-servlet-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.s390x", }, product_reference: "jetty-servlet-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-servlet-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.x86_64", }, product_reference: "jetty-servlet-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-servlets-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.aarch64", }, product_reference: "jetty-servlets-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-servlets-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.ppc64le", }, product_reference: "jetty-servlets-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-servlets-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.s390x", }, product_reference: "jetty-servlets-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-servlets-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.x86_64", }, product_reference: "jetty-servlets-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-start-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.aarch64", }, product_reference: "jetty-start-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-start-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.ppc64le", }, product_reference: "jetty-start-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-start-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.s390x", }, product_reference: "jetty-start-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-start-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.x86_64", }, product_reference: "jetty-start-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-util-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.aarch64", }, product_reference: "jetty-util-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-util-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.ppc64le", }, product_reference: "jetty-util-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-util-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.s390x", }, product_reference: "jetty-util-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-util-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.x86_64", }, product_reference: "jetty-util-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-util-ajax-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.aarch64", }, product_reference: "jetty-util-ajax-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-util-ajax-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.ppc64le", }, product_reference: "jetty-util-ajax-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-util-ajax-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.s390x", }, product_reference: "jetty-util-ajax-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-util-ajax-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.x86_64", }, product_reference: "jetty-util-ajax-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-webapp-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.aarch64", }, product_reference: "jetty-webapp-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-webapp-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.ppc64le", }, product_reference: "jetty-webapp-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-webapp-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.s390x", }, product_reference: "jetty-webapp-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-webapp-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.x86_64", }, product_reference: "jetty-webapp-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-xml-9.4.56-2.1.aarch64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.aarch64", }, product_reference: "jetty-xml-9.4.56-2.1.aarch64", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-xml-9.4.56-2.1.ppc64le as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.ppc64le", }, product_reference: "jetty-xml-9.4.56-2.1.ppc64le", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-xml-9.4.56-2.1.s390x as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.s390x", }, product_reference: "jetty-xml-9.4.56-2.1.s390x", relates_to_product_reference: "openSUSE Tumbleweed", }, { category: "default_component_of", full_product_name: { name: "jetty-xml-9.4.56-2.1.x86_64 as component of openSUSE Tumbleweed", product_id: "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.x86_64", }, product_reference: "jetty-xml-9.4.56-2.1.x86_64", relates_to_product_reference: "openSUSE Tumbleweed", }, ], }, vulnerabilities: [ { cve: "CVE-2024-8184", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-8184", }, ], notes: [ { category: "general", text: "There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.", title: "CVE description", }, ], product_status: { recommended: [ "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2024-8184", url: "https://www.suse.com/security/cve/CVE-2024-8184", }, { category: "external", summary: "SUSE Bug 1231651 for CVE-2024-8184", url: "https://bugzilla.suse.com/1231651", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-annotations-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-ant-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-cdi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-client-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-continuation-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-deploy-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-fcgi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-http-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-http-spi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-io-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jaas-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jmx-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jndi-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-jsp-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-minimal-javadoc-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-openid-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-plus-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-proxy-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-quickstart-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-rewrite-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-security-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-server-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-servlet-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-servlets-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-start-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-util-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-util-ajax-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-webapp-9.4.56-2.1.x86_64", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.aarch64", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.ppc64le", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.s390x", "openSUSE Tumbleweed:jetty-xml-9.4.56-2.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2024-10-17T00:00:00Z", details: "moderate", }, ], title: "CVE-2024-8184", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.