RHSA-2023_1516

Vulnerability from csaf_redhat - Published: 2023-03-29 11:45 - Updated: 2024-12-17 23:02
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.10 security update
Severity
Important
Notes
Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471) * hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853) * Undertow: Infinite loop in SslConduit during close (CVE-2023-1108) * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492) * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752) * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854) * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881) * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787) * RESTEasy: creation of insecure temp files (CVE-2023-0482) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2022-1471

A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).

6.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L
CWE-502 - Deserialization of Untrusted Data
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
CVE-2022-4492

A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-550 - Server-generated Error Message Containing Sensitive Information
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
CVE-2022-38752

A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.

6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-787 - Out-of-bounds Write
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
CVE-2022-41853

A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.

9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
Workaround By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk). In the example below, the property has been included as an argument to the Java command. java -Dhsqldb.method_class_names="org.me.MyClass;org.you.YourClass;org.you.lib.*" [the rest of the command line] The above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level. The user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method. Once the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC. In hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.
CVE-2022-41854

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE-787 - Out-of-bounds Write
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
CVE-2022-41881

A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-674 - Uncontrolled Recursion
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
CVE-2022-45787

A flaw was found in Apache James's Mime4j TempFileStorageProvider class, where it may set improper permissions when utilizing temporary files. This flaw allows a locally authorized attacker to access information outside their intended permissions.

5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
CVE-2023-0482

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

5.3 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE-378 - Creation of Temporary File With Insecure Permissions
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Vendor Fix Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2023:1516
References
https://access.redhat.com/errata/RHSA-2023:1516 self
https://access.redhat.com/security/updates/classi… external
https://access.redhat.com/jbossnetwork/restricted… external
https://access.redhat.com/documentation/en-us/red… external
https://access.redhat.com/documentation/en-us/red… external
https://bugzilla.redhat.com/show_bug.cgi?id=2129710 external
https://bugzilla.redhat.com/show_bug.cgi?id=2136141 external
https://bugzilla.redhat.com/show_bug.cgi?id=2150009 external
https://bugzilla.redhat.com/show_bug.cgi?id=2151988 external
https://bugzilla.redhat.com/show_bug.cgi?id=2153260 external
https://bugzilla.redhat.com/show_bug.cgi?id=2153379 external
https://bugzilla.redhat.com/show_bug.cgi?id=2158916 external
https://bugzilla.redhat.com/show_bug.cgi?id=2166004 external
https://bugzilla.redhat.com/show_bug.cgi?id=2174246 external
https://issues.redhat.com/browse/JBEAP-23572 external
https://issues.redhat.com/browse/JBEAP-24172 external
https://issues.redhat.com/browse/JBEAP-24182 external
https://issues.redhat.com/browse/JBEAP-24220 external
https://issues.redhat.com/browse/JBEAP-24254 external
https://issues.redhat.com/browse/JBEAP-24292 external
https://issues.redhat.com/browse/JBEAP-24339 external
https://issues.redhat.com/browse/JBEAP-24341 external
https://issues.redhat.com/browse/JBEAP-24363 external
https://issues.redhat.com/browse/JBEAP-24372 external
https://issues.redhat.com/browse/JBEAP-24380 external
https://issues.redhat.com/browse/JBEAP-24383 external
https://issues.redhat.com/browse/JBEAP-24384 external
https://issues.redhat.com/browse/JBEAP-24385 external
https://issues.redhat.com/browse/JBEAP-24395 external
https://issues.redhat.com/browse/JBEAP-24507 external
https://issues.redhat.com/browse/JBEAP-24535 external
https://issues.redhat.com/browse/JBEAP-24574 external
https://issues.redhat.com/browse/JBEAP-24588 external
https://issues.redhat.com/browse/JBEAP-24605 external
https://issues.redhat.com/browse/JBEAP-24618 external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2022-1471 self
https://bugzilla.redhat.com/show_bug.cgi?id=2150009 external
https://www.cve.org/CVERecord?id=CVE-2022-1471 external
https://nvd.nist.gov/vuln/detail/CVE-2022-1471 external
https://github.com/google/security-research/secur… external
https://access.redhat.com/security/cve/CVE-2022-4492 self
https://bugzilla.redhat.com/show_bug.cgi?id=2153260 external
https://www.cve.org/CVERecord?id=CVE-2022-4492 external
https://nvd.nist.gov/vuln/detail/CVE-2022-4492 external
https://access.redhat.com/security/cve/CVE-2022-38752 self
https://bugzilla.redhat.com/show_bug.cgi?id=2129710 external
https://www.cve.org/CVERecord?id=CVE-2022-38752 external
https://nvd.nist.gov/vuln/detail/CVE-2022-38752 external
https://access.redhat.com/security/cve/CVE-2022-41853 self
https://bugzilla.redhat.com/show_bug.cgi?id=2136141 external
https://www.cve.org/CVERecord?id=CVE-2022-41853 external
https://nvd.nist.gov/vuln/detail/CVE-2022-41853 external
http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt… external
https://github.com/advisories/GHSA-77xx-rxvh-q682 external
https://access.redhat.com/security/cve/CVE-2022-41854 self
https://bugzilla.redhat.com/show_bug.cgi?id=2151988 external
https://www.cve.org/CVERecord?id=CVE-2022-41854 external
https://nvd.nist.gov/vuln/detail/CVE-2022-41854 external
https://bitbucket.org/snakeyaml/snakeyaml/issues/… external
https://bugs.chromium.org/p/oss-fuzz/issues/detai… external
https://access.redhat.com/security/cve/CVE-2022-41881 self
https://bugzilla.redhat.com/show_bug.cgi?id=2153379 external
https://www.cve.org/CVERecord?id=CVE-2022-41881 external
https://nvd.nist.gov/vuln/detail/CVE-2022-41881 external
https://access.redhat.com/security/cve/CVE-2022-45787 self
https://bugzilla.redhat.com/show_bug.cgi?id=2158916 external
https://www.cve.org/CVERecord?id=CVE-2022-45787 external
https://nvd.nist.gov/vuln/detail/CVE-2022-45787 external
https://access.redhat.com/security/cve/CVE-2023-0482 self
https://bugzilla.redhat.com/show_bug.cgi?id=2166004 external
https://www.cve.org/CVERecord?id=CVE-2023-0482 external
https://nvd.nist.gov/vuln/detail/CVE-2023-0482 external
https://access.redhat.com/security/cve/CVE-2023-1108 self
https://bugzilla.redhat.com/show_bug.cgi?id=2174246 external
https://www.cve.org/CVERecord?id=CVE-2023-1108 external
https://nvd.nist.gov/vuln/detail/CVE-2023-1108 external
https://github.com/advisories/GHSA-m4mm-pg93-fv78 external
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)\n\n* hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)\n\n* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)\n\n* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)\n\n* snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)\n\n* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)\n\n* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)\n\n* apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787)\n\n* RESTEasy: creation of insecure temp files (CVE-2023-0482)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:1516",
        "url": "https://access.redhat.com/errata/RHSA-2023:1516"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=7.4"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
      },
      {
        "category": "external",
        "summary": "2129710",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129710"
      },
      {
        "category": "external",
        "summary": "2136141",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136141"
      },
      {
        "category": "external",
        "summary": "2150009",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
      },
      {
        "category": "external",
        "summary": "2151988",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
      },
      {
        "category": "external",
        "summary": "2153260",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
      },
      {
        "category": "external",
        "summary": "2153379",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
      },
      {
        "category": "external",
        "summary": "2158916",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158916"
      },
      {
        "category": "external",
        "summary": "2166004",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
      },
      {
        "category": "external",
        "summary": "2174246",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246"
      },
      {
        "category": "external",
        "summary": "JBEAP-23572",
        "url": "https://issues.redhat.com/browse/JBEAP-23572"
      },
      {
        "category": "external",
        "summary": "JBEAP-24172",
        "url": "https://issues.redhat.com/browse/JBEAP-24172"
      },
      {
        "category": "external",
        "summary": "JBEAP-24182",
        "url": "https://issues.redhat.com/browse/JBEAP-24182"
      },
      {
        "category": "external",
        "summary": "JBEAP-24220",
        "url": "https://issues.redhat.com/browse/JBEAP-24220"
      },
      {
        "category": "external",
        "summary": "JBEAP-24254",
        "url": "https://issues.redhat.com/browse/JBEAP-24254"
      },
      {
        "category": "external",
        "summary": "JBEAP-24292",
        "url": "https://issues.redhat.com/browse/JBEAP-24292"
      },
      {
        "category": "external",
        "summary": "JBEAP-24339",
        "url": "https://issues.redhat.com/browse/JBEAP-24339"
      },
      {
        "category": "external",
        "summary": "JBEAP-24341",
        "url": "https://issues.redhat.com/browse/JBEAP-24341"
      },
      {
        "category": "external",
        "summary": "JBEAP-24363",
        "url": "https://issues.redhat.com/browse/JBEAP-24363"
      },
      {
        "category": "external",
        "summary": "JBEAP-24372",
        "url": "https://issues.redhat.com/browse/JBEAP-24372"
      },
      {
        "category": "external",
        "summary": "JBEAP-24380",
        "url": "https://issues.redhat.com/browse/JBEAP-24380"
      },
      {
        "category": "external",
        "summary": "JBEAP-24383",
        "url": "https://issues.redhat.com/browse/JBEAP-24383"
      },
      {
        "category": "external",
        "summary": "JBEAP-24384",
        "url": "https://issues.redhat.com/browse/JBEAP-24384"
      },
      {
        "category": "external",
        "summary": "JBEAP-24385",
        "url": "https://issues.redhat.com/browse/JBEAP-24385"
      },
      {
        "category": "external",
        "summary": "JBEAP-24395",
        "url": "https://issues.redhat.com/browse/JBEAP-24395"
      },
      {
        "category": "external",
        "summary": "JBEAP-24507",
        "url": "https://issues.redhat.com/browse/JBEAP-24507"
      },
      {
        "category": "external",
        "summary": "JBEAP-24535",
        "url": "https://issues.redhat.com/browse/JBEAP-24535"
      },
      {
        "category": "external",
        "summary": "JBEAP-24574",
        "url": "https://issues.redhat.com/browse/JBEAP-24574"
      },
      {
        "category": "external",
        "summary": "JBEAP-24588",
        "url": "https://issues.redhat.com/browse/JBEAP-24588"
      },
      {
        "category": "external",
        "summary": "JBEAP-24605",
        "url": "https://issues.redhat.com/browse/JBEAP-24605"
      },
      {
        "category": "external",
        "summary": "JBEAP-24618",
        "url": "https://issues.redhat.com/browse/JBEAP-24618"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1516.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.10 security update",
    "tracking": {
      "current_release_date": "2024-12-17T23:02:16+00:00",
      "generator": {
        "date": "2024-12-17T23:02:16+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.3"
        }
      },
      "id": "RHSA-2023:1516",
      "initial_release_date": "2023-03-29T11:45:38+00:00",
      "revision_history": [
        {
          "date": "2023-03-29T11:45:38+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-03-29T11:45:38+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-12-17T23:02:16+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "EAP 7.4.10 release",
                "product": {
                  "name": "EAP 7.4.10 release",
                  "product_id": "EAP 7.4.10 release",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-1471",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2022-12-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2150009"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "SnakeYaml: Constructor Deserialization Remote Code Execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml\u0027s SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker\u0027s control. Due to that the impact for RHPAM is reduced to Low.\n\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml\u0027s Constructor class nor pass untrusted data to this class. When this class is used, it\u2019s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-1471"
        },
        {
          "category": "external",
          "summary": "RHBZ#2150009",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2150009"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-1471",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1471"
        },
        {
          "category": "external",
          "summary": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
          "url": "https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2"
        }
      ],
      "release_date": "2022-10-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "SnakeYaml: Constructor Deserialization Remote Code Execution"
    },
    {
      "cve": "CVE-2022-4492",
      "cwe": {
        "id": "CWE-550",
        "name": "Server-generated Error Message Containing Sensitive Information"
      },
      "discovery_date": "2022-12-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2153260"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. This is a compulsory step ( that should at least be performed by default) in HTTPS and in http/2.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: Server identity in https connection is not checked by the undertow client",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-4492"
        },
        {
          "category": "external",
          "summary": "RHBZ#2153260",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153260"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4492",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-4492"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4492"
        }
      ],
      "release_date": "2022-12-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "undertow: Server identity in https connection is not checked by the undertow client"
    },
    {
      "cve": "CVE-2022-38752",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2022-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2129710"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the snakeyaml package due to a stack-overflow in parsing YAML files. By persuading a victim to open a specially-crafted file, a remote attacker could cause the application to crash.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Build of Quarkus is not affected by this issue as it already includes the fixed version.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-38752"
        },
        {
          "category": "external",
          "summary": "RHBZ#2129710",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2129710"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-38752",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38752"
        }
      ],
      "release_date": "2022-09-05T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode"
    },
    {
      "cve": "CVE-2022-41853",
      "cwe": {
        "id": "CWE-470",
        "name": "Use of Externally-Controlled Input to Select Classes or Code (\u0027Unsafe Reflection\u0027)"
      },
      "discovery_date": "2022-10-19T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2136141"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the HSQLDB package. This flaw allows untrusted inputs to execute remote code due to any static method of any Java class in the classpath, resulting in code execution by default.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "hsqldb: Untrusted input may lead to RCE attack",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41853"
        },
        {
          "category": "external",
          "summary": "RHBZ#2136141",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136141"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41853",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41853"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41853"
        },
        {
          "category": "external",
          "summary": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control",
          "url": "http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-77xx-rxvh-q682",
          "url": "https://github.com/advisories/GHSA-77xx-rxvh-q682"
        }
      ],
      "release_date": "2022-10-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        },
        {
          "category": "workaround",
          "details": "By default, the static methods of any class that is on the classpath are available for use and can compromise security in some systems. The optional Java system property, hsqldb.method_class_names, allows preventing access to classes other than java.lang.Math or specifying a semicolon-separated list of allowed classes. A property value that ends with .* is treated as a wild card and allows access to all class or method names formed by substitution of the * (asterisk).\n\nIn the example below, the property has been included as an argument to the Java command.\n\n java -Dhsqldb.method_class_names=\"org.me.MyClass;org.you.YourClass;org.you.lib.*\" [the rest of the command line]\n\nThe above example allows access to the methods in the two classes: org.me.MyClass and org.you.YourClass together with all the classes in the org.you.lib package. Note that if the property is not defined, no access control is performed at this level.\n\nThe user who creates a Java routine must have the relevant access privileges on the tables that are used inside the Java method.\n\nOnce the routine has been defined, the normal database access control applies to its user. The routine can be executed only by those users who have been granted EXECUTE privileges on it. Access to routines can be granted to users with GRANT EXECUTE or GRANT ALL. For example, GRANT EXECUTE ON myroutine TO PUBLIC.\n\nIn hsqldb 2.7.1, all classes by default are not accessible, except those in java.lang.Math and need to be manually enabled.",
          "product_ids": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "hsqldb: Untrusted input may lead to RCE attack"
    },
    {
      "cve": "CVE-2022-41854",
      "cwe": {
        "id": "CWE-787",
        "name": "Out-of-bounds Write"
      },
      "discovery_date": "2022-12-08T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2151988"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "dev-java/snakeyaml: DoS via stack overflow",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41854"
        },
        {
          "category": "external",
          "summary": "RHBZ#2151988",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151988"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41854",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41854"
        },
        {
          "category": "external",
          "summary": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355",
          "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/543/stackoverflow-oss-fuzz-50355"
        },
        {
          "category": "external",
          "summary": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355",
          "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355"
        }
      ],
      "release_date": "2022-11-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "dev-java/snakeyaml: DoS via stack overflow"
    },
    {
      "cve": "CVE-2022-41881",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2022-12-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2153379"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in codec-haproxy from the Netty project. This flaw allows an attacker to build a malformed crafted message and cause infinite recursion, causing stack exhaustion and leading to a denial of service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41881"
        },
        {
          "category": "external",
          "summary": "RHBZ#2153379",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153379"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41881",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881"
        }
      ],
      "release_date": "2022-12-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS"
    },
    {
      "cve": "CVE-2022-45787",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2023-01-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2158916"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Apache James\u0027s Mime4j TempFileStorageProvider class, where it may set improper permissions when utilizing temporary files. This flaw allows a locally authorized attacker to access information outside their intended permissions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-45787"
        },
        {
          "category": "external",
          "summary": "RHBZ#2158916",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158916"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-45787",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-45787"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-45787",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45787"
        }
      ],
      "release_date": "2023-01-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider"
    },
    {
      "cve": "CVE-2023-0482",
      "cwe": {
        "id": "CWE-378",
        "name": "Creation of Temporary File With Insecure Permissions"
      },
      "discovery_date": "2023-01-31T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2166004"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "RESTEasy: creation of insecure temp files",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-0482"
        },
        {
          "category": "external",
          "summary": "RHBZ#2166004",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2166004"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-0482",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-0482"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0482"
        }
      ],
      "release_date": "2023-01-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "RESTEasy: creation of insecure temp files"
    },
    {
      "cve": "CVE-2023-1108",
      "cwe": {
        "id": "CWE-835",
        "name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
      },
      "discovery_date": "2023-02-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2174246"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Undertow: Infinite loop in SslConduit during close",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "EAP 7.4.10 release"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-1108"
        },
        {
          "category": "external",
          "summary": "RHBZ#2174246",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2174246"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1108",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-1108"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1108",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1108"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-m4mm-pg93-fv78",
          "url": "https://github.com/advisories/GHSA-m4mm-pg93-fv78"
        }
      ],
      "release_date": "2023-03-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-29T11:45:38+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "EAP 7.4.10 release"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1516"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "EAP 7.4.10 release"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Undertow: Infinite loop in SslConduit during close"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.