rhsa-2023_6107
Vulnerability from csaf_redhat
Published
2023-10-25 12:34
Modified
2024-11-06 04:00
Summary
Red Hat Security Advisory: Updated Kogito for Red Hat Process Automation Manager 7.13.4 SP1 Images
Notes
Topic
A Kogito update is now available for Red Hat Process Automation Manager, including images for Red Hat OpenShift Container Platform.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
This release includes security fixes.
Security Fix(es):
* quarkus: HTTP security policy bypass (CVE-2023-4853)
A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A Kogito update is now available for Red Hat Process Automation Manager, including images for Red Hat OpenShift Container Platform.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release includes security fixes.\n\nSecurity Fix(es):\n\n* quarkus: HTTP security policy bypass (CVE-2023-4853)\n\nA Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:6107",
"url": "https://access.redhat.com/errata/RHSA-2023:6107"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
},
{
"category": "external",
"summary": "2238034",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6107.json"
}
],
"title": "Red Hat Security Advisory: Updated Kogito for Red Hat Process Automation Manager 7.13.4 SP1 Images",
"tracking": {
"current_release_date": "2024-11-06T04:00:50+00:00",
"generator": {
"date": "2024-11-06T04:00:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.1.1"
}
},
"id": "RHSA-2023:6107",
"initial_release_date": "2023-10-25T12:34:17+00:00",
"revision_history": [
{
"date": "2023-10-25T12:34:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-10-25T12:34:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-06T04:00:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Middleware Containers for OpenShift",
"product": {
"name": "Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
"product": {
"name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
"product_id": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-builder-rhel8\u0026tag=7.13.4-3"
}
}
},
{
"category": "product_version",
"name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
"product": {
"name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
"product_id": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator-bundle\u0026tag=7.13.4-2"
}
}
},
{
"category": "product_version",
"name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
"product": {
"name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
"product_id": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator\u0026tag=7.13.4-2"
}
}
},
{
"category": "product_version",
"name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
"product": {
"name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
"product_id": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064?arch=ppc64le\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-runtime-jvm-rhel8\u0026tag=7.13.4-3"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
"product": {
"name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
"product_id": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-builder-rhel8\u0026tag=7.13.4-3"
}
}
},
{
"category": "product_version",
"name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
"product": {
"name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
"product_id": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator-bundle\u0026tag=7.13.4-2"
}
}
},
{
"category": "product_version",
"name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
"product": {
"name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
"product_id": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-rhel8-operator\u0026tag=7.13.4-2"
}
}
},
{
"category": "product_version",
"name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
"product": {
"name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
"product_id": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7/rhpam-kogito-runtime-jvm-rhel8\u0026tag=7.13.4-3"
}
}
},
{
"category": "product_version",
"name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
"product": {
"name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
"product_id": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6?arch=amd64\u0026repository_url=registry.redhat.io/rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8\u0026tag=7.13.4-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64"
},
"product_reference": "rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64"
},
"product_reference": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le"
},
"product_reference": "rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64"
},
"product_reference": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le"
},
"product_reference": "rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le"
},
"product_reference": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64"
},
"product_reference": "rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64"
},
"product_reference": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
},
"product_reference": "rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-4853",
"cwe": {
"id": "CWE-148",
"name": "Improper Neutralization of Input Leaders"
},
"discovery_date": "2023-09-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2238034"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quarkus: HTTP security policy bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-4853"
},
{
"category": "external",
"summary": "RHBZ#2238034",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238034"
},
{
"category": "external",
"summary": "RHSB-2023-002",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-002"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-4853",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-4853"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4853"
}
],
"release_date": "2023-09-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-25T12:34:17+00:00",
"details": "Updated Red Hat Process Automation Manager 7.13.4 SP1 OpenShift images can be found in the Red Hat Container Catalog.",
"product_ids": [
"8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6107"
},
{
"category": "workaround",
"details": "Use a \u2018deny\u2019 wildcard for base paths, then authenticate specifics within that:\n\nExamples:\n```\ndeny: /*\nauthenticated: /services/*\n```\nor\n```\ndeny: /services/*\nroles-allowed: /services/rbac/*\n```\n\nNOTE: Products are only vulnerable if they use (or allow use of) path-based HTTP policy configuration. Products may also be affected\u2013shipping the component in question\u2013without being vulnerable (\u201caffected at reduced impact\u201d).\n\nSee https://access.redhat.com/security/vulnerabilities/RHSB-2023-002 for more detailed mitigations.",
"product_ids": [
"8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:rhpam-7-tech-preview/rhpam-kogito-runtime-native-rhel8@sha256:9ad109b7163da5f8caaf2b104475004548886d7dbbc9a732425fcafcf41b0ea6_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:45b76edfd70a76efb113a5754b72e684aa3093add2db3fac7394a94032723203_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-builder-rhel8@sha256:ba92f9f2163a29eb956e445a3687e83c54838fae6098b81bef980fbb27a2c0b5_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:65f4db25e0fa2348279061a29f8f137494918362d152a42946dfc9d8dcb4f343_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator-bundle@sha256:f84af09c90836c2f4ee93fed624d04478953b4fc70c25eee277373d829101fa6_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:8ecf3a814085236c5692c18a117a604348172fc2d38566363d16191d52717406_ppc64le",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-rhel8-operator@sha256:dbc35eb75dfe94c46c99d9b45906a86abf895cfba37bb001c11cc463bda3c733_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:62d4cd51c9ed4735a0a7d78668b4b3eeb4db5b625f4f36e125698212321bc9b1_amd64",
"8Base-RHOSE-Middleware:rhpam-7/rhpam-kogito-runtime-jvm-rhel8@sha256:e525c9934424b2b46a61a3b8d6b1cef7f005c19456e927d544733f66dcfdf064_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "quarkus: HTTP security policy bypass"
}
]
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.