rhsa-2022_6407
Vulnerability from csaf_redhat
Published
2022-09-09 07:12
Modified
2024-11-15 12:02
Summary
Red Hat Security Advisory: Red Hat Integration Camel-K 1.8 security update

Notes

Topic
A minor version update is now available for Red Hat Integration Camel K. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section. Security Fix(es): * hadoop: WebHDFS client might send SPNEGO authorization header (CVE-2020-9492) * jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS (CVE-2020-27223) * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * mysql-connector-java: unauthorized access to critical (CVE-2021-2471) * lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520) * undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629) * elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure (CVE-2021-22132) * jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163) * jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164) * jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165) * jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714) * Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (CVE-2021-38153) * xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690) * resteasy: Error message exposes endpoint class information (CVE-2021-20289) * elasticsearch: Document disclosure flaw when Document or Field Level Security is used (CVE-2021-22137) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A minor version update is now available for Red Hat Integration Camel K. The purpose of this text-only errata is to inform you about the security issues fixed in this release.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "A minor version update is now available for Red Hat Camel K that includes CVE fixes in the base images, which are documented in the Release Notes document linked in the References section.\n\nSecurity Fix(es):\n\n* hadoop: WebHDFS client might send SPNEGO authorization header (CVE-2020-9492)\n\n* jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS (CVE-2020-27223)\n\n* jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)\n\n* mysql-connector-java: unauthorized access to critical (CVE-2021-2471)\n\n* lz4: memory corruption due to an integer overflow bug caused by memmove argument (CVE-2021-3520)\n\n* undertow: potential security issue in flow control over HTTP/2 may lead to DOS (CVE-2021-3629)\n\n* elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure (CVE-2021-22132)\n\n* jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)\n\n* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)\n\n* jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)\n\n* jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck (CVE-2021-37714)\n\n* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (CVE-2021-38153)\n\n* xml-security: XPath Transform abuse allows for information disclosure (CVE-2021-40690)\n\n* resteasy: Error message exposes endpoint class information (CVE-2021-20289)\n\n* elasticsearch: Document disclosure flaw when Document or Field Level Security is used (CVE-2021-22137)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:6407",
        "url": "https://access.redhat.com/errata/RHSA-2022:6407"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q3",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2022-Q3"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_integration/2022.q3"
      },
      {
        "category": "external",
        "summary": "1923181",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923181"
      },
      {
        "category": "external",
        "summary": "1925237",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925237"
      },
      {
        "category": "external",
        "summary": "1934116",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934116"
      },
      {
        "category": "external",
        "summary": "1935927",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"
      },
      {
        "category": "external",
        "summary": "1943189",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1943189"
      },
      {
        "category": "external",
        "summary": "1945710",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945710"
      },
      {
        "category": "external",
        "summary": "1945712",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945712"
      },
      {
        "category": "external",
        "summary": "1945714",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945714"
      },
      {
        "category": "external",
        "summary": "1954559",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954559"
      },
      {
        "category": "external",
        "summary": "1977362",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
      },
      {
        "category": "external",
        "summary": "1995259",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995259"
      },
      {
        "category": "external",
        "summary": "2009041",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009041"
      },
      {
        "category": "external",
        "summary": "2011190",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011190"
      },
      {
        "category": "external",
        "summary": "2020583",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020583"
      },
      {
        "category": "external",
        "summary": "2064698",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_6407.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Integration Camel-K 1.8 security update",
    "tracking": {
      "current_release_date": "2024-11-15T12:02:20+00:00",
      "generator": {
        "date": "2024-11-15T12:02:20+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2022:6407",
      "initial_release_date": "2022-09-09T07:12:07+00:00",
      "revision_history": [
        {
          "date": "2022-09-09T07:12:07+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-09-09T07:12:07+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T12:02:20+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHAF Camel-K 1.8",
                "product": {
                  "name": "RHAF Camel-K 1.8",
                  "product_id": "RHAF Camel-K 1.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:integration:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-9492",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2021-02-04T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1925237"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache hadoop.  The WebHDFS client can send a SPNEGO authorization header to a remote URL without proper verification which could lead to an access restriction bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "hadoop: WebHDFS client might send SPNEGO authorization header",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "While OpenShift Container Platform (OCP) does package a vulnerable version of hadoop-hdfs-client in the hadoop and hive containers, the HDFS storage back-end is not enabled by default and is largely undocumented/unsupported. However, as it still can be enabled by using the configuration option `unsupportedFeatures.enabledHDFS`, the vulnerability has been rated Moderate for OCP.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of hadoop package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-9492"
        },
        {
          "category": "external",
          "summary": "RHBZ#1925237",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925237"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-9492",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-9492"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9492",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9492"
        },
        {
          "category": "external",
          "summary": "https://hadoop.apache.org/cve_list.html",
          "url": "https://hadoop.apache.org/cve_list.html"
        },
        {
          "category": "external",
          "summary": "https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHADOOP-1065272",
          "url": "https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEHADOOP-1065272"
        }
      ],
      "release_date": "2021-01-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "hadoop: WebHDFS client might send SPNEGO authorization header"
    },
    {
      "cve": "CVE-2020-27223",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2021-02-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1934116"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of \u201cquality\u201d (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-27223"
        },
        {
          "category": "external",
          "summary": "RHBZ#1934116",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1934116"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-27223",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-27223"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-27223",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27223"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7",
          "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7"
        }
      ],
      "release_date": "2021-02-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS"
    },
    {
      "cve": "CVE-2020-36518",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2022-03-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2064698"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jackson-databind: denial of service via a large depth of nested objects",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "CodeReady Studio is no longer supported and therefore this flaw will not be addressed in CodeReady Studio.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-36518"
        },
        {
          "category": "external",
          "summary": "RHBZ#2064698",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2064698"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-36518",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-57j2-w4cx-62h2",
          "url": "https://github.com/advisories/GHSA-57j2-w4cx-62h2"
        }
      ],
      "release_date": "2020-08-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jackson-databind: denial of service via a large depth of nested objects"
    },
    {
      "cve": "CVE-2021-2471",
      "cwe": {
        "id": "CWE-863",
        "name": "Incorrect Authorization"
      },
      "discovery_date": "2021-11-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2020583"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "MySQL Connector/J has no security check when external general entities are included in XML sources, consequently, there exists an XML External Entity(XXE) vulnerability. A successful attack can access critical data and gain full control/access to all MySQL Connectors\u0027 accessible data without any authorization.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mysql-connector-java: unauthorized access to critical",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In OpenShift Container Platform (OCP), the Presto component is part of the OCP Metering stack and it ships the vulnerable version of the MySQL Connector/J package. Since the release of OCP 4.6, the Metering product has been deprecated and is removed from OCP starting from 4.9 version [1], hence the affected component is marked as wontfix.\n\n[1] https://docs.openshift.com/container-platform/4.9/release_notes/ocp-4-9-release-notes.html#ocp-4-9-deprecated-removed-features",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-2471"
        },
        {
          "category": "external",
          "summary": "RHBZ#2020583",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020583"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-2471",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-2471"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-2471",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-2471"
        },
        {
          "category": "external",
          "summary": "https://www.oracle.com/security-alerts/cpuoct2021.html",
          "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
        }
      ],
      "release_date": "2021-10-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "mysql-connector-java: unauthorized access to critical"
    },
    {
      "cve": "CVE-2021-3520",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2021-03-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1954559"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "There\u0027s a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "lz4: memory corruption due to an integer overflow bug caused by memmove argument",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw is out of support scope for Red Hat Enterprise Linux 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-3520"
        },
        {
          "category": "external",
          "summary": "RHBZ#1954559",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1954559"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3520",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3520"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3520",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3520"
        }
      ],
      "release_date": "2021-04-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "lz4: memory corruption due to an integer overflow bug caused by memmove argument"
    },
    {
      "cve": "CVE-2021-3629",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2021-04-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1977362"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: potential security issue in flow control over HTTP/2 may lead to DOS",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-3629"
        },
        {
          "category": "external",
          "summary": "RHBZ#1977362",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1977362"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-3629",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-3629"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-3629",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3629"
        }
      ],
      "release_date": "2021-03-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "undertow: potential security issue in flow control over HTTP/2 may lead to DOS"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dirk Papenberg"
          ],
          "organization": "NTT DATA Germany"
        }
      ],
      "cve": "CVE-2021-20289",
      "cwe": {
        "id": "CWE-209",
        "name": "Generation of Error Message Containing Sensitive Information"
      },
      "discovery_date": "2021-03-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1935927"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method\u0027s parameter value. The highest threat from this vulnerability is to data confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "resteasy: Error message exposes endpoint class information",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-20289"
        },
        {
          "category": "external",
          "summary": "RHBZ#1935927",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-20289",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-20289"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-20289",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20289"
        }
      ],
      "release_date": "2021-03-03T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "resteasy: Error message exposes endpoint class information"
    },
    {
      "cve": "CVE-2021-22132",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "discovery_date": "2021-02-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1923181"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-22132"
        },
        {
          "category": "external",
          "summary": "RHBZ#1923181",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1923181"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22132",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-22132"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22132",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22132"
        },
        {
          "category": "external",
          "summary": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164",
          "url": "https://discuss.elastic.co/t/elasticsearch-7-10-2-security-update/261164"
        }
      ],
      "release_date": "2021-01-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "elasticsearch: executing async search improperly stores HTTP headers leading to information disclosure"
    },
    {
      "cve": "CVE-2021-22137",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2021-03-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1943189"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In Elasticsearch versions before 7.11.2 and 6.8.15 a document disclosure flaw was found when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain cross-cluster search queries. This could result in the search disclosing the existence of documents the attacker should not be able to view. This could result in an attacker gaining additional insight into potentially sensitive indices.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "elasticsearch: Document disclosure flaw when Document or Field Level Security is used",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In Elasticsearch, Document and Field Level Security is an enterprise only feature [1]. Hence the open source version is unaffected by this vulnerability.\n\n[1] https://www.elastic.co/subscriptions",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-22137"
        },
        {
          "category": "external",
          "summary": "RHBZ#1943189",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1943189"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-22137",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-22137"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22137",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22137"
        },
        {
          "category": "external",
          "summary": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125",
          "url": "https://discuss.elastic.co/t/elastic-stack-7-12-0-and-6-8-15-security-update/268125"
        }
      ],
      "release_date": "2021-03-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "elasticsearch: Document disclosure flaw when Document or Field Level Security is used"
    },
    {
      "cve": "CVE-2021-28163",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2021-04-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1945710"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty: Symlink directory exposes webapp directory contents",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-28163"
        },
        {
          "category": "external",
          "summary": "RHBZ#1945710",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945710"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-28163",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-28163"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq",
          "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq"
        }
      ],
      "release_date": "2021-04-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 2.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "jetty: Symlink directory exposes webapp directory contents"
    },
    {
      "cve": "CVE-2021-28164",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2021-04-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1945712"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty: Ambiguous paths can access WEB-INF",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-28164"
        },
        {
          "category": "external",
          "summary": "RHBZ#1945712",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945712"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-28164",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5",
          "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5"
        }
      ],
      "release_date": "2021-04-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "jetty: Ambiguous paths can access WEB-INF"
    },
    {
      "cve": "CVE-2021-28165",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2021-04-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1945714"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jetty: Resource exhaustion when receiving an invalid large TLS frame",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-28165"
        },
        {
          "category": "external",
          "summary": "RHBZ#1945714",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945714"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-28165",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-28165"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w",
          "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w"
        }
      ],
      "release_date": "2021-04-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "jetty: Resource exhaustion when receiving an invalid large TLS frame"
    },
    {
      "cve": "CVE-2021-37714",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2021-08-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1995259"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-37714"
        },
        {
          "category": "external",
          "summary": "RHBZ#1995259",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995259"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-37714",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-37714"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-37714",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37714"
        },
        {
          "category": "external",
          "summary": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c",
          "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c"
        }
      ],
      "release_date": "2021-08-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck"
    },
    {
      "cve": "CVE-2021-38153",
      "cwe": {
        "id": "CWE-367",
        "name": "Time-of-check Time-of-use (TOCTOU) Race Condition"
      },
      "discovery_date": "2021-09-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2009041"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Some components in Apache Kafka use `Arrays.equals` to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-38153"
        },
        {
          "category": "external",
          "summary": "RHBZ#2009041",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2009041"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-38153",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-38153"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-38153",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38153"
        }
      ],
      "release_date": "2021-09-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients"
    },
    {
      "cve": "CVE-2021-40690",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2021-09-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2011190"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the \"secureValidation\" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "xml-security: XPath Transform abuse allows for information disclosure",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Since OpenShift Container Platform (OCP) 4.7, the logging-elasticsearch6-container is shipping as a part of the OpenShift Logging product (openshift-logging/elasticsearch6-rhel8). The elasticsearch component delivered in OCP 4.6 is marked as `Out of support scope` because these versions are already under Maintenance Phase of the support.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHAF Camel-K 1.8"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-40690"
        },
        {
          "category": "external",
          "summary": "RHBZ#2011190",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2011190"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-40690",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-40690"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-40690",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40690"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E",
          "url": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E"
        }
      ],
      "release_date": "2021-09-17T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-09-09T07:12:07+00:00",
          "details": "Before applying this update, make sure all previously released errata relevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHAF Camel-K 1.8"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:6407"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHAF Camel-K 1.8"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "xml-security: XPath Transform abuse allows for information disclosure"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.