csaf_redhat - rhsa-2023

rhsa-2023_1286

Vulnerability from csaf_redhat

Published

2023-03-16 09:31

Modified

2024-11-15 13:27

Summary

Red Hat Security Advisory: Migration Toolkit for Runtimes security bug fix and enhancement update

Notes

Topic

Migration Toolkit for Runtimes 1.0.2 release Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Migration Toolkit for Runtimes 1.0.2 Images Security Fix(es): * spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client (CVE-2022-31690) * xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966) * Apache CXF: SSRF Vulnerability (CVE-2022-46364) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Migration Toolkit for Runtimes 1.0.2 release\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Migration Toolkit for Runtimes 1.0.2 Images\n\nSecurity Fix(es):\n\n* spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client (CVE-2022-31690)\n\n* xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow (CVE-2022-41966)\n\n* Apache CXF: SSRF Vulnerability (CVE-2022-46364)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:1286",
        "url": "https://access.redhat.com/errata/RHSA-2023:1286"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2155682",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
      },
      {
        "category": "external",
        "summary": "2162200",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162200"
      },
      {
        "category": "external",
        "summary": "2170431",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1286.json"
      }
    ],
    "title": "Red Hat Security Advisory: Migration Toolkit for Runtimes security bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2024-11-15T13:27:26+00:00",
      "generator": {
        "date": "2024-11-15T13:27:26+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2023:1286",
      "initial_release_date": "2023-03-16T09:31:14+00:00",
      "revision_history": [
        {
          "date": "2023-03-16T09:31:14+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-03-16T09:31:14+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T13:27:26+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Migration Toolkit for Runtimes 1 on RHEL 8",
                "product": {
                  "name": "Migration Toolkit for Runtimes 1 on RHEL 8",
                  "product_id": "8Base-MTR-1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Migration Toolkit for Runtimes"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
                "product": {
                  "name": "mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
                  "product_id": "mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.0-37"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
                "product": {
                  "name": "mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
                  "product_id": "mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.0-13"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le",
                "product": {
                  "name": "mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le",
                  "product_id": "mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=1.0-22"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le",
                "product": {
                  "name": "mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le",
                  "product_id": "mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7?arch=ppc64le\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=1.0-21"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
                "product": {
                  "name": "mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
                  "product_id": "mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.0-37"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
                "product": {
                  "name": "mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
                  "product_id": "mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.0-13"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
                "product": {
                  "name": "mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
                  "product_id": "mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=1.0-22"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
                "product": {
                  "name": "mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
                  "product_id": "mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4?arch=s390x\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=1.0-21"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
                "product": {
                  "name": "mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
                  "product_id": "mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.0-37"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
                "product": {
                  "name": "mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
                  "product_id": "mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.0-13"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
                "product": {
                  "name": "mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
                  "product_id": "mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-web-container-rhel8\u0026tag=1.0-22"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
                "product": {
                  "name": "mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
                  "product_id": "mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3?arch=amd64\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=1.0-21"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
                "product": {
                  "name": "mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
                  "product_id": "mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-operator-bundle\u0026tag=1.0-37"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
                "product": {
                  "name": "mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
                  "product_id": "mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-rhel8-operator\u0026tag=1.0-13"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
                "product": {
                  "name": "mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
                  "product_id": "mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6?arch=arm64\u0026repository_url=registry.redhat.io/mtr/mtr-web-executor-container-rhel8\u0026tag=1.0-21"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "arm64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64"
        },
        "product_reference": "mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x"
        },
        "product_reference": "mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le"
        },
        "product_reference": "mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64"
        },
        "product_reference": "mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le"
        },
        "product_reference": "mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x"
        },
        "product_reference": "mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64"
        },
        "product_reference": "mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64"
        },
        "product_reference": "mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64"
        },
        "product_reference": "mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x"
        },
        "product_reference": "mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
        },
        "product_reference": "mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x"
        },
        "product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64"
        },
        "product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64"
        },
        "product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
        "relates_to_product_reference": "8Base-MTR-1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8",
          "product_id": "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le"
        },
        "product_reference": "mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le",
        "relates_to_product_reference": "8Base-MTR-1"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-31690",
      "cwe": {
        "id": "CWE-269",
        "name": "Improper Privilege Management"
      },
      "discovery_date": "2023-01-19T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2162200"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Spring Security framework. Spring Security could allow a remote attacker to gain elevated privileges on the system. By modifying a request initiated by the Client (via the browser) to the Authorization Server, an attacker can gain elevated privileges on the system.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Integration Camel-K, Camel-Quarkus, and Camel-SpringBoot do not directly use or ship the affected software, but do have references to it in their Maven POMs. As such their impact has been reduced to Low.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
        ],
        "known_not_affected": [
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31690"
        },
        {
          "category": "external",
          "summary": "RHBZ#2162200",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162200"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31690",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31690"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31690",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31690"
        },
        {
          "category": "external",
          "summary": "https://spring.io/security/cve-2022-31690",
          "url": "https://spring.io/security/cve-2022-31690"
        }
      ],
      "release_date": "2022-10-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-16T09:31:14+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1286"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "spring-security-oauth2-client: Privilege Escalation in spring-security-oauth2-client"
    },
    {
      "cve": "CVE-2022-41966",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2023-02-16T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2170431"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the xstream package. This flaw allows an attacker to cause a denial of service by injecting recursive collections or maps, raising a stack overflow.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Fuse 7 ships an affected version of XStream. No endpoint in any flavor of Fuse is accepting by default an unverified input stream passed directly to XStream unmarshaller. Documentation always recommend all the endpoints (TCP/UDP/HTTP(S)/other listeners) to have at least one layer of authentication/authorization and Fuse in general itself in particular has a lot of mechanisms to protect the endpoints.\n\nRed Hat Single Sign-On contains XStream as a transitive dependency from Infinispan and the same is not affected as NO_REFERENCE is in use.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
        ],
        "known_not_affected": [
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41966"
        },
        {
          "category": "external",
          "summary": "RHBZ#2170431",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2170431"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41966",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41966"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41966"
        },
        {
          "category": "external",
          "summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv",
          "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"
        }
      ],
      "release_date": "2022-12-28T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-16T09:31:14+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1286"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "xstream: Denial of Service by injecting recursive collections or maps based on element\u0027s hash values raising a stack overflow"
    },
    {
      "cve": "CVE-2022-46364",
      "cwe": {
        "id": "CWE-918",
        "name": "Server-Side Request Forgery (SSRF)"
      },
      "discovery_date": "2022-12-21T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
            "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
            "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
            "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2155682"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A SSRF vulnerability was found in Apache CXF. This issue occurs when parsing the href attribute of XOP:Include in MTOM requests, allowing an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "CXF: SSRF Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Integration Camel Quarkus does not support CXF extensions and so is affected at a reduced impact of Moderate.\nThe RHSSO server does not ship Apache CXF. The component mentioned in CVE-2022-46364 is a transitive dependency coming from Fuse adapters and the test suite.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
          "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
        ],
        "known_not_affected": [
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:00a133578915e07a223f8c61015ad48d121d07ceb7a94639c9c696fa5bcfe99c_amd64",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:0641798f8d433adc4e12e402aa1777a8034a0c670fe2cfa12335f1e07a289a8d_s390x",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:21bb017f2e1df373f1534242a1ea109de2fac61d72da1a68824bf8b4e317e567_ppc64le",
          "8Base-MTR-1:mtr/mtr-operator-bundle@sha256:2422d9fa5d0855d037d4b6c30902a08455fa5abc5e71d21c60b1571d6205e61f_arm64",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:3365d73032b1bdc61609c643cb88b594431ee13ddb107abc8af075d105204672_ppc64le",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:768db938fe00ee47f03aeae89fd1c6a787f0c016753feb34cba30c4eb74cab61_s390x",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:7b641bdf5cf25092f85b6968930c587798239727581d376dbf39aeb913cd5965_arm64",
          "8Base-MTR-1:mtr/mtr-rhel8-operator@sha256:837c280f4154c26ff73f2990ec6b2263825ef090319345276f4aee0965276c84_amd64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:98ef1d7e8dd53c9f9ff491357f4bb29c22a8d777f646f4bec35d5799d4d4abb4_s390x",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:b16e22796ed1319c330059f15daa827844a1d12d35bb2f2ffc8c2e35de388fe6_arm64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:ed14f2b7adeb8e5d111208c5882fd25412055dbdfb0173cc5a5309c83112e5a3_amd64",
          "8Base-MTR-1:mtr/mtr-web-executor-container-rhel8@sha256:fab2b8e08e484747d0409ca139551dc71783e08e7d6dfc6bce09df51a55023f7_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-46364"
        },
        {
          "category": "external",
          "summary": "RHBZ#2155682",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155682"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46364",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46364"
        },
        {
          "category": "external",
          "summary": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2",
          "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
        }
      ],
      "release_date": "2022-12-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-16T09:31:14+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1286"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:6b9bd6697f4a84db25429f8ba1e13110bccb3d4b5c0c726f341ec47288f2f3c9_amd64",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:9642fbf1b7ad9bf5a0cca7c9905d00dc57d0f89397a0f990025ad7848c830495_s390x",
            "8Base-MTR-1:mtr/mtr-web-container-rhel8@sha256:ca075ce4c2061ae0c70dfca7376b9d9f016095b4a4d59c9af91dd42f6a2fc8a2_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "CXF: SSRF Vulnerability"
    }
  ]
}

cve-2022-31690

Vulnerability from cvelistv5

Published

2022-10-31 00:00

Modified

2024-08-03 07:26

Severity ?

Summary

Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.

References

▼	URL	Tags
	https://tanzu.vmware.com/security/cve-2022-31690
	https://security.netapp.com/advisory/ntap-20221215-0010/

Impacted products

▼	Vendor	Product
	n/a	Spring Security

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T07:26:01.073Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://tanzu.vmware.com/security/cve-2022-31690"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20221215-0010/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Spring Security",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Spring Security (5.7 to 5.7.4 and 5.6 to 5.6.8 as well as older, unsupported versions)"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Privilege Escalation in spring-security-oauth2-client",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-15T00:00:00",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://tanzu.vmware.com/security/cve-2022-31690"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20221215-0010/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2022-31690",
    "datePublished": "2022-10-31T00:00:00",
    "dateReserved": "2022-05-25T00:00:00",
    "dateUpdated": "2024-08-03T07:26:01.073Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-41966

Vulnerability from cvelistv5

Published

2022-12-27 23:07

Modified

2024-08-03 12:56

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Summary

XStream Denial of Service via stack overflow

References

▼	URL	Tags
	https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv	x_refsource_CONFIRM
	https://x-stream.github.io/CVE-2022-41966.html	x_refsource_MISC

Impacted products

▼	Vendor	Product
	x-stream	xstream

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:56:39.097Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20230216-0005/"
          },
          {
            "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"
          },
          {
            "name": "https://x-stream.github.io/CVE-2022-41966.html",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://x-stream.github.io/CVE-2022-41966.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xstream",
          "vendor": "x-stream",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.4.20"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-120",
              "description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-27T23:07:54.048Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-j563-grx4-pjpv"
        },
        {
          "name": "https://x-stream.github.io/CVE-2022-41966.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://x-stream.github.io/CVE-2022-41966.html"
        }
      ],
      "source": {
        "advisory": "GHSA-j563-grx4-pjpv",
        "discovery": "UNKNOWN"
      },
      "title": "XStream Denial of Service via stack overflow "
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-41966",
    "datePublished": "2022-12-27T23:07:54.048Z",
    "dateReserved": "2022-09-30T16:38:28.949Z",
    "dateUpdated": "2024-08-03T12:56:39.097Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2022-46364

Vulnerability from cvelistv5

Published

2022-12-13 16:20

Modified

2024-08-03 14:31

Severity ?

Summary

Apache CXF SSRF Vulnerability

References

▼	URL	Tags
	https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1&modificationDate=1670944472739&api=v2	vendor-advisory

Impacted products

▼	Vendor	Product
	Apache Software Foundation	Apache CXF

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T14:31:46.249Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache CXF",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "3.5.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.4.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "thanat0s from Beijin Qihoo 360 adlab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A SSRF vulnerability in parsing the\u0026nbsp;href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.\u0026nbsp;"
            }
          ],
          "value": "A SSRF vulnerability in parsing the\u00a0href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.\u00a0"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "important"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-13T16:20:26.765Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt?version=1\u0026modificationDate=1670944472739\u0026api=v2"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache CXF SSRF Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-46364",
    "datePublished": "2022-12-13T16:20:26.765Z",
    "dateReserved": "2022-12-02T08:07:46.894Z",
    "dateUpdated": "2024-08-03T14:31:46.249Z",
    "requesterUserId": "cf81350d-439c-4450-9d42-0a054bb6b6c9",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

rhsa-2023_1286

Vulnerability from csaf_redhat

cve-2022-31690

Vulnerability from cvelistv5

cve-2022-41966

Vulnerability from cvelistv5

cve-2022-46364

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature