rhsa-2023_3906
Vulnerability from csaf_redhat
Published
2023-06-28 15:59
Modified
2024-11-15 13:35
Summary
Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update

Notes

Topic
Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.
Details
A security update for Camel K 1.10.1 is now available. The purpose of this text-only errata is to inform you about the security issues fixed with this release. * json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370) * codehaus-plexus: Directory Traversal (CVE-2022-4244) * codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245) * scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368) * jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946) * Apache CXF: directory listing / code exfiltration (CVE-2022-46363) A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat Integration Camel K 1.10.1 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed. Red Hat Product Security has rated this update as having an impact of Important.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "A security update for Camel K 1.10.1 is now available.\n\nThe purpose of this text-only errata is to inform you about the security issues fixed with this release.\n\n* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)(CVE-2023-1370)\n\n* codehaus-plexus: Directory Traversal (CVE-2022-4244)\n\n* codehaus-plexus: XML External Entity (XXE) Injection (CVE-2022-4245)\n\n* scandium: Failing DTLS handshakes may cause throttling to block processing of records (CVE-2022-39368)\n\n* jdbc-postgresql: postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)\n\n* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)\n\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:3906",
        "url": "https://access.redhat.com/errata/RHSA-2023:3906"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q2",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=red.hat.integration\u0026version=2023-Q2"
      },
      {
        "category": "external",
        "summary": "2145205",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145205"
      },
      {
        "category": "external",
        "summary": "2149841",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149841"
      },
      {
        "category": "external",
        "summary": "2149843",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149843"
      },
      {
        "category": "external",
        "summary": "2153399",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
      },
      {
        "category": "external",
        "summary": "2155681",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
      },
      {
        "category": "external",
        "summary": "2188542",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_3906.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Integration Camel K 1.10.1 release security update",
    "tracking": {
      "current_release_date": "2024-11-15T13:35:18+00:00",
      "generator": {
        "date": "2024-11-15T13:35:18+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2023:3906",
      "initial_release_date": "2023-06-28T15:59:12+00:00",
      "revision_history": [
        {
          "date": "2023-06-28T15:59:12+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-06-28T15:59:12+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-15T13:35:18+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHINT Camel-K-1.10.1",
                "product": {
                  "name": "RHINT Camel-K-1.10.1",
                  "product_id": "RHINT Camel-K-1.10.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:camel_k:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-4244",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2022-12-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2149841"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "codehaus-plexus: Directory Traversal",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Single Sign-On uses this package for testing purposes and is not delivered with the distribution. Hence not affected status.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K-1.10.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-4244"
        },
        {
          "category": "external",
          "summary": "RHBZ#2149841",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149841"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4244",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-4244"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4244",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4244"
        }
      ],
      "release_date": "2022-12-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-28T15:59:12+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K-1.10.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3906"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K-1.10.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "codehaus-plexus: Directory Traversal"
    },
    {
      "cve": "CVE-2022-4245",
      "cwe": {
        "id": "CWE-91",
        "name": "XML Injection (aka Blind XPath Injection)"
      },
      "discovery_date": "2022-12-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2149843"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --\u003e sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "codehaus-plexus: XML External Entity (XXE) Injection",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K-1.10.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-4245"
        },
        {
          "category": "external",
          "summary": "RHBZ#2149843",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149843"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-4245",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-4245"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-4245",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4245"
        }
      ],
      "release_date": "2022-12-01T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-28T15:59:12+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K-1.10.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3906"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K-1.10.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "codehaus-plexus: XML External Entity (XXE) Injection"
    },
    {
      "cve": "CVE-2022-39368",
      "cwe": {
        "id": "CWE-459",
        "name": "Incomplete Cleanup"
      },
      "discovery_date": "2022-11-23T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2145205"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Eclipse Californium Scandium package. This issue occurs when failing handshakes don\u0027t clean up counters for throttling, causing the threshold to be reached without being released again, resulting in a denial of service. An attacker could submit a high quantity of server requests, leaving the server unable to respond.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "scandium: Failing DTLS handshakes may cause throttling to block processing of records",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K-1.10.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-39368"
        },
        {
          "category": "external",
          "summary": "RHBZ#2145205",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145205"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-39368",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-39368"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-39368",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39368"
        },
        {
          "category": "external",
          "summary": "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc",
          "url": "https://github.com/eclipse-californium/californium/security/advisories/GHSA-p72g-cgh9-ghjgc"
        }
      ],
      "release_date": "2022-11-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-28T15:59:12+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K-1.10.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3906"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K-1.10.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "scandium: Failing DTLS handshakes may cause throttling to block processing of records"
    },
    {
      "cve": "CVE-2022-41946",
      "cwe": {
        "id": "CWE-377",
        "name": "Insecure Temporary File"
      },
      "discovery_date": "2022-12-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2153399"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in org.postgresql. This issue allows the creation of a temporary file when using PreparedStatement.setText(int, InputStream) and PreparedStatemet.setBytea(int, InputStream). This could allow a user to create an unexpected file available to all users, which could end in unexpected behavior.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Satellite ships a PostgreSQL JDBC Driver for Hibernate ORM framework, which is embeds into Candlepin. Although Candlepin itself doesn\u0027t make direct use of the PreparedStatement methods from the PostgreSQL JDBC Driver, Hibernate ORM does utilize these methods, potentially making framework affected. Satellite server operating in an environment with untrusted users while the driver is running are vulnerable to the flaw, however, deployments without untrusted users are considered safe. A future Satellite update should address this issue.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K-1.10.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41946"
        },
        {
          "category": "external",
          "summary": "RHBZ#2153399",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2153399"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41946",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41946"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41946"
        }
      ],
      "release_date": "2022-11-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-28T15:59:12+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K-1.10.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3906"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K-1.10.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions"
    },
    {
      "cve": "CVE-2022-46363",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2022-12-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2155681"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A vulnerability was found in Apache CXF that could allow an attacker to perform a remote directory listing or code exfiltration. This issue only applies when the CXFServlet is configured with both the static-resources-list and redirect-query-check attributes. These attributes are not supposed to be used together, so the issue can only occur if the CXF service is misconfigured.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "CXF: directory listing / code exfiltration",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K-1.10.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-46363"
        },
        {
          "category": "external",
          "summary": "RHBZ#2155681",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2155681"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-46363",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46363"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c",
          "url": "https://lists.apache.org/thread/pdzo1qgyplf4y523tnnzrcm7hoco3l8c"
        }
      ],
      "release_date": "2022-12-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-28T15:59:12+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K-1.10.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3906"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K-1.10.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "CXF: directory listing / code exfiltration"
    },
    {
      "cve": "CVE-2023-1370",
      "cwe": {
        "id": "CWE-674",
        "name": "Uncontrolled Recursion"
      },
      "discovery_date": "2023-04-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2188542"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the json-smart package. This security flaw occurs when reaching a \u2018[\u2018 or \u2018{\u2018 character in the JSON input, and the code parses an array or an object, respectively. The 3PP does not have any limit to the nesting of such arrays or objects. Since nested arrays and objects are parsed recursively, nesting too many of them can cause stack exhaustion (stack overflow) and crash the software.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "RHINT Camel-K-1.10.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-1370"
        },
        {
          "category": "external",
          "summary": "RHBZ#2188542",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2188542"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-1370",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1370"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-493p-pfq6-5258",
          "url": "https://github.com/advisories/GHSA-493p-pfq6-5258"
        },
        {
          "category": "external",
          "summary": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/",
          "url": "https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/"
        }
      ],
      "release_date": "2023-03-22T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-06-28T15:59:12+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "RHINT Camel-K-1.10.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:3906"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "RHINT Camel-K-1.10.1"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.