var-201907-1547
Vulnerability from variot
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. RedHatUndertow is a Java-based embedded Web server from RedHat, Inc., and is the default web server for Wildfly (Java Application Server). The vulnerability stems from errors in the configuration of the network system or product during operation. An unauthorized attacker can exploit the vulnerability to obtain sensitive information about the affected component. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat Single Sign-On 7.3.4 security update on RHEL 6 Advisory ID: RHSA-2019:3044-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2019:3044 Issue date: 2019-10-14 CVE Names: CVE-2019-10184 CVE-2019-12086 CVE-2019-12814 CVE-2019-14379 CVE-2019-14820 CVE-2019-14832 =====================================================================
- Summary:
New Red Hat Single Sign-On 7.3.4 packages are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Single Sign-On 7.3 for RHEL 6 Server - noarch
- Description:
Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.3.4 on RHEL 6 serves as a replacement for Red Hat Single Sign-On 7.3.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
-
keycloak: cross-realm user access auth bypass (CVE-2019-14832)
-
keycloak: adapter endpoints are exposed via arbitrary URLs (CVE-2019-14820)
-
jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message (CVE-2019-12814)
-
jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)
-
jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server (CVE-2019-12086)
-
undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1649870 - CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs 1713068 - CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes 1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. 1725795 - CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass
- JIRA issues fixed (https://issues.jboss.org/):
KEYCLOAK-11454 - Tracker bug for the RH-SSO 7.3.4 release for RHEL7
- Package List:
Red Hat Single Sign-On 7.3 for RHEL 6 Server:
Source: rh-sso7-keycloak-4.8.13-1.Final_redhat_00001.1.el6sso.src.rpm
noarch: rh-sso7-keycloak-4.8.13-1.Final_redhat_00001.1.el6sso.noarch.rpm rh-sso7-keycloak-server-4.8.13-1.Final_redhat_00001.1.el6sso.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2019-10184 https://access.redhat.com/security/cve/CVE-2019-12086 https://access.redhat.com/security/cve/CVE-2019-12814 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2019-14820 https://access.redhat.com/security/cve/CVE-2019-14832 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXaS+r9zjgjWX9erEAQizTBAAmTcTk3Q7rVco9Xx4dWdTBrNeB3cKhnoj Fhkwvdoo4MVgaDWv2P9h9/JFoaCvgw6ZP2ZBbwB0wXq2+F70GFexx/nP44TlL3Kg JBAjCLvYT24Ahtxg9U6bmZwi1++fogj9TfJcC1C7k+TZHvoz3W+BCIO3OFWC2xYb mkT943QgXEALZ+KjAZqG0fE3RvH28zZy1RQO5x0Vb+qr6KTTzEF/VvtQFOiKVtok qyKa+59Ddzr/YLy+QPN4+tOMWNbGJhUnarssUVodgc/1OAEGJLPGB7iez9ekwTNf AzRL9nrMUI+DYs2pz/Cks9aban3uWmjXCn4OxfyBS2vJKiwXIxpHOh8Zfl9NlB7e X2NMGeU34Dem1ofhTErZCDbpkCUHYuiTgaJ53JoWAzVfX3gGb44GFDxN7kQ2DG6q lScmZjNPtI2GJ0h+4L6ViSHOhNOpTSHlfaMsatC4kE50qjNagGC2jcgS9mmYwclX gLuLa+RlbMeZSYSVb4pl2rkKvwdR5tbrLBfznoeT46UPHKT+1Yyd28jlClTNBMoP qroivgayFrYkC/oj0ud0V3POKyxpdZS1rf7GZrwN+etESHn9RZwnzsj413fQtIaw xP5xCmpqGCbBe2JZRLizd+voOn1oZbZSNYpZfGfghQHZ9IuKrECqJ8KQhv5yx2GD cxVVfwDI8os= =akLu -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect. Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. JIRA issues fixed (https://issues.jboss.org/):
JBEAP-16455 - GSS Upgrade Infinispan from 9.3.6 to 9.3.7 JBEAP-16779 - GSS Upgrade Hibernate ORM from 5.3.10 to 5.3.11 JBEAP-17045 - GSS Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00001 to 2.3.5.SP3-redhat-00002 JBEAP-17062 - GSS Upgrade Artemis from 2.7.0.redhat-00057 to 2.9.0.redhat-00005 JBEAP-17073 - GSS Upgrade jboss-ejb-client from 4.0.20 to 4.0.23 JBEAP-17109 - (7.2.z) Upgrade XNIO from 3.6.6.Final-redhat-00001 to 3.7.3.Final-redhat-00001 JBEAP-17112 - GSS Upgrade JBoss Remoting from 5.0.12 to 5.0.14.SP1 JBEAP-17142 - Tracker bug for the EAP 7.2.4 release for RHEL-6 JBEAP-17162 - GSS Upgrade jgroups from 4.0.19 to 4.0.20 JBEAP-17178 - (7.2.z) Upgrade IronJacamar from 1.4.16.Final to 1.4.17.Final JBEAP-17182 - (7.2.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00006 to 2.5.5.SP12-redhat-00007 JBEAP-17183 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00006 to 2.5.5.SP12-redhat-00007 JBEAP-17223 - GSS Upgrade WildFly Core from 6.0.15 to 6.0.16 JBEAP-17238 - GSS Upgrade HAL from 3.0.13 to 3.0.16 JBEAP-17250 - GSS Upgrade JBoss MSC from 1.4.5 to 1.4.8 JBEAP-17271 - GSS Upgrade jboss-logmanager from 2.1.7.Final-redhat-00001 to 2.1.14.Final-redhat-00001 JBEAP-17273 - GSS Upgrade jboss-logging from 3.3.2.Final-redhat-00001 to 3.3.3.Final-redhat-00001 JBEAP-17274 - GSS Upgrade Wildfly Elytron from 1.6.3.Final-redhat-00001 to 1.6.4.Final-redhat-00001 JBEAP-17276 - GSS Upgrade wildfly-transaction-client from 1.1.4.Final-redhat-00001 to 1.1.6.Final-redhat-00001 JBEAP-17277 - GSS Upgrade Undertow from 2.0.22 to 2.0.25.SP1 JBEAP-17278 - GSS Upgrade JBoss Marshalling from 2.0.7 to 2.0.9 JBEAP-17294 - GSS Upgrade weld from 3.0.6.Final-redhat-00001 to 3.0.6.Final-redhat-00002 JBEAP-17311 - GSS Upgrade jboss-jaxrs-api_2.1_spec from 1.0.1.Final-redhat-00001 to 1.0.3.Final-redhat-00001 JBEAP-17320 - GSS Upgrade PicketBox from 5.0.3.Final-redhat-3 to 5.0.3.Final-redhat-00004 JBEAP-17321 - GSS Upgrade Narayana from 5.9.3.Final to 5.9.6.Final JBEAP-17334 - (7.2.z) Upgrade Elytron-Tool from 1.4.2 to 1.4.3.Final JBEAP-17527 - GSS Upgrade Hibernate ORM from 5.3.11 to 5.3.11.SP1
Installation instructions are available from the Fuse 7.6.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/
4
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-201907-1547", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "jboss data grid", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": null }, { "model": "jboss enterprise application platform", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "7.4" }, { "model": "single sign-on", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "7.0" }, { "model": "openshift application runtimes", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": null }, { "model": "jboss enterprise application platform", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "7.3" }, { "model": "single sign-on", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": null }, { "model": "undertow", "scope": "lt", "trust": 1.0, "vendor": "redhat", "version": "2.0.23" }, { "model": "jboss enterprise application platform", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "7.2" }, { "model": "single sign-on", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "7.3" }, { "model": "jboss enterprise application platform", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "7.0.0" }, { "model": "openshift application runtimes", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "1.0" }, { "model": "active iq unified manager", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "jboss enterprise application platform", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": null }, { "model": "jboss enterprise application platform", "scope": null, "trust": 0.8, "vendor": "red hat", "version": null }, { "model": "openshift application runtimes", "scope": null, "trust": 0.8, "vendor": "red hat", "version": null }, { "model": "single sign-on", "scope": null, "trust": 0.8, "vendor": "red hat", "version": null }, { "model": "undertow", "scope": "lt", "trust": 0.8, "vendor": "red hat", "version": "2.0.23" }, { "model": "hat red hat undertow \u003c2.0.23.final", "scope": null, "trust": 0.6, "vendor": "red", "version": null } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-24570" }, { "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "db": "NVD", "id": "CVE-2019-10184" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.0.23", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:openshift_application_runtimes:1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false } ], "operator": "OR" } ], "cpe_match": [], "operator": "AND" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2019-10184" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "154845" }, { "db": "PACKETSTORM", "id": "154843" }, { "db": "PACKETSTORM", "id": "154687" }, { "db": "PACKETSTORM", "id": "154850" }, { "db": "PACKETSTORM", "id": "154672" }, { "db": "PACKETSTORM", "id": "154793" }, { "db": "PACKETSTORM", "id": "156941" }, { "db": "CNNVD", "id": "CNNVD-201907-1345" } ], "trust": 1.3 }, "cve": "CVE-2019-10184", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "None", "baseScore": 5.0, "confidentialityImpact": "Partial", "exploitabilityScore": null, "id": "CVE-2019-10184", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.8, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 10.0, "id": "CNVD-2019-24570", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "secalert@redhat.com", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitabilityScore": 3.9, "impactScore": 1.4, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "None", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "High", "exploitabilityScore": null, "id": "CVE-2019-10184", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2019-10184", "trust": 1.8, "value": "HIGH" }, { "author": "secalert@redhat.com", "id": "CVE-2019-10184", "trust": 1.0, "value": "MEDIUM" }, { "author": "CNVD", "id": "CNVD-2019-24570", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-201907-1345", "trust": 0.6, "value": "HIGH" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-24570" }, { "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "db": "CNNVD", "id": "CNNVD-201907-1345" }, { "db": "NVD", "id": "CVE-2019-10184" }, { "db": "NVD", "id": "CVE-2019-10184" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. RedHatUndertow is a Java-based embedded Web server from RedHat, Inc., and is the default web server for Wildfly (Java Application Server). The vulnerability stems from errors in the configuration of the network system or product during operation. An unauthorized attacker can exploit the vulnerability to obtain sensitive information about the affected component. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Red Hat Single Sign-On 7.3.4 security update on RHEL 6\nAdvisory ID: RHSA-2019:3044-01\nProduct: Red Hat Single Sign-On\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:3044\nIssue date: 2019-10-14\nCVE Names: CVE-2019-10184 CVE-2019-12086 CVE-2019-12814 \n CVE-2019-14379 CVE-2019-14820 CVE-2019-14832 \n=====================================================================\n\n1. Summary:\n\nNew Red Hat Single Sign-On 7.3.4 packages are now available for Red Hat\nEnterprise Linux 6. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Single Sign-On 7.3 for RHEL 6 Server - noarch\n\n3. Description:\n\nRed Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak\nproject, that provides authentication and standards-based single sign-on\ncapabilities for web and mobile applications. \n\nThis release of Red Hat Single Sign-On 7.3.4 on RHEL 6 serves as a\nreplacement for Red Hat Single Sign-On 7.3.3, and includes bug fixes and\nenhancements, which are documented in the Release Notes document linked to\nin the References. \n\nSecurity Fix(es):\n\n* keycloak: cross-realm user access auth bypass (CVE-2019-14832)\n\n* keycloak: adapter endpoints are exposed via arbitrary URLs\n(CVE-2019-14820)\n\n* jackson-databind: polymorphic typing issue allows attacker to read\narbitrary local files on the server via crafted JSON message\n(CVE-2019-12814)\n\n* jackson-databind: default typing mishandling leading to remote code\nexecution (CVE-2019-14379)\n\n* jackson-databind: polymorphic typing issue allows attacker to read\narbitrary local files on the server (CVE-2019-12086)\n\n* undertow: Information leak in requests for directories without trailing\nslashes (CVE-2019-10184)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1649870 - CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs\n1713068 - CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes\n1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. \n1725795 - CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. \n1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution\n1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nKEYCLOAK-11454 - Tracker bug for the RH-SSO 7.3.4 release for RHEL7\n\n7. Package List:\n\nRed Hat Single Sign-On 7.3 for RHEL 6 Server:\n\nSource:\nrh-sso7-keycloak-4.8.13-1.Final_redhat_00001.1.el6sso.src.rpm\n\nnoarch:\nrh-sso7-keycloak-4.8.13-1.Final_redhat_00001.1.el6sso.noarch.rpm\nrh-sso7-keycloak-server-4.8.13-1.Final_redhat_00001.1.el6sso.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2019-10184\nhttps://access.redhat.com/security/cve/CVE-2019-12086\nhttps://access.redhat.com/security/cve/CVE-2019-12814\nhttps://access.redhat.com/security/cve/CVE-2019-14379\nhttps://access.redhat.com/security/cve/CVE-2019-14820\nhttps://access.redhat.com/security/cve/CVE-2019-14832\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/\n\n9. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXaS+r9zjgjWX9erEAQizTBAAmTcTk3Q7rVco9Xx4dWdTBrNeB3cKhnoj\nFhkwvdoo4MVgaDWv2P9h9/JFoaCvgw6ZP2ZBbwB0wXq2+F70GFexx/nP44TlL3Kg\nJBAjCLvYT24Ahtxg9U6bmZwi1++fogj9TfJcC1C7k+TZHvoz3W+BCIO3OFWC2xYb\nmkT943QgXEALZ+KjAZqG0fE3RvH28zZy1RQO5x0Vb+qr6KTTzEF/VvtQFOiKVtok\nqyKa+59Ddzr/YLy+QPN4+tOMWNbGJhUnarssUVodgc/1OAEGJLPGB7iez9ekwTNf\nAzRL9nrMUI+DYs2pz/Cks9aban3uWmjXCn4OxfyBS2vJKiwXIxpHOh8Zfl9NlB7e\nX2NMGeU34Dem1ofhTErZCDbpkCUHYuiTgaJ53JoWAzVfX3gGb44GFDxN7kQ2DG6q\nlScmZjNPtI2GJ0h+4L6ViSHOhNOpTSHlfaMsatC4kE50qjNagGC2jcgS9mmYwclX\ngLuLa+RlbMeZSYSVb4pl2rkKvwdR5tbrLBfznoeT46UPHKT+1Yyd28jlClTNBMoP\nqroivgayFrYkC/oj0ud0V3POKyxpdZS1rf7GZrwN+etESHn9RZwnzsj413fQtIaw\nxP5xCmpqGCbBe2JZRLizd+voOn1oZbZSNYpZfGfghQHZ9IuKrECqJ8KQhv5yx2GD\ncxVVfwDI8os=\n=akLu\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nThe JBoss server process must be restarted for the update to take effect. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-16455 - [GSS](7.2.z) Upgrade Infinispan from 9.3.6 to 9.3.7\nJBEAP-16779 - [GSS](7.2.z) Upgrade Hibernate ORM from 5.3.10 to 5.3.11\nJBEAP-17045 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00001 to 2.3.5.SP3-redhat-00002\nJBEAP-17062 - [GSS](7.2.z) Upgrade Artemis from 2.7.0.redhat-00057 to 2.9.0.redhat-00005\nJBEAP-17073 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.20 to 4.0.23\nJBEAP-17109 - (7.2.z) Upgrade XNIO from 3.6.6.Final-redhat-00001 to 3.7.3.Final-redhat-00001\nJBEAP-17112 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.12 to 5.0.14.SP1\nJBEAP-17142 - Tracker bug for the EAP 7.2.4 release for RHEL-6\nJBEAP-17162 - [GSS](7.2.z) Upgrade jgroups from 4.0.19 to 4.0.20\nJBEAP-17178 - (7.2.z) Upgrade IronJacamar from 1.4.16.Final to 1.4.17.Final\nJBEAP-17182 - (7.2.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00006 to 2.5.5.SP12-redhat-00007\nJBEAP-17183 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00006 to 2.5.5.SP12-redhat-00007\nJBEAP-17223 - [GSS](7.2.z) Upgrade WildFly Core from 6.0.15 to 6.0.16\nJBEAP-17238 - [GSS](7.2.z) Upgrade HAL from 3.0.13 to 3.0.16\nJBEAP-17250 - [GSS](7.2.z) Upgrade JBoss MSC from 1.4.5 to 1.4.8\nJBEAP-17271 - [GSS](7.2.z) Upgrade jboss-logmanager from 2.1.7.Final-redhat-00001 to 2.1.14.Final-redhat-00001\nJBEAP-17273 - [GSS](7.2.z) Upgrade jboss-logging from 3.3.2.Final-redhat-00001 to 3.3.3.Final-redhat-00001\nJBEAP-17274 - [GSS](7.2.z) Upgrade Wildfly Elytron from 1.6.3.Final-redhat-00001 to 1.6.4.Final-redhat-00001\nJBEAP-17276 - [GSS](7.2.z) Upgrade wildfly-transaction-client from 1.1.4.Final-redhat-00001 to 1.1.6.Final-redhat-00001\nJBEAP-17277 - [GSS](7.2.z) Upgrade Undertow from 2.0.22 to 2.0.25.SP1\nJBEAP-17278 - [GSS](7.2.z) Upgrade JBoss Marshalling from 2.0.7 to 2.0.9\nJBEAP-17294 - [GSS](7.2.z) Upgrade weld from 3.0.6.Final-redhat-00001 to 3.0.6.Final-redhat-00002\nJBEAP-17311 - [GSS](7.2.z) Upgrade jboss-jaxrs-api_2.1_spec from 1.0.1.Final-redhat-00001 to 1.0.3.Final-redhat-00001\nJBEAP-17320 - [GSS](7.2.z) Upgrade PicketBox from 5.0.3.Final-redhat-3 to 5.0.3.Final-redhat-00004\nJBEAP-17321 - [GSS](7.2.z) Upgrade Narayana from 5.9.3.Final to 5.9.6.Final\nJBEAP-17334 - (7.2.z) Upgrade Elytron-Tool from 1.4.2 to 1.4.3.Final\nJBEAP-17527 - [GSS](7.2.z) Upgrade Hibernate ORM from 5.3.11 to 5.3.11.SP1\n\n7. \n\nInstallation instructions are available from the Fuse 7.6.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/\n\n4", "sources": [ { "db": "NVD", "id": "CVE-2019-10184" }, { "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "db": "CNVD", "id": "CNVD-2019-24570" }, { "db": "PACKETSTORM", "id": "154845" }, { "db": "PACKETSTORM", "id": "154843" }, { "db": "PACKETSTORM", "id": "154687" }, { "db": "PACKETSTORM", "id": "154850" }, { "db": "PACKETSTORM", "id": "154672" }, { "db": "PACKETSTORM", "id": "154793" }, { "db": "PACKETSTORM", "id": "156941" } ], "trust": 2.79 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2019-10184", "trust": 3.7 }, { "db": "JVNDB", "id": "JVNDB-2019-007209", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "154793", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "156941", "trust": 0.7 }, { "db": "CNVD", "id": "CNVD-2019-24570", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "156628", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "154665", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.3672", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.1076", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2019.3805", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.0832", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-201907-1345", "trust": 0.6 }, { "db": "PACKETSTORM", "id": "154845", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "154843", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "154687", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "154850", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "154672", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-24570" }, { "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "db": "PACKETSTORM", "id": "154845" }, { "db": "PACKETSTORM", "id": "154843" }, { "db": "PACKETSTORM", "id": "154687" }, { "db": "PACKETSTORM", "id": "154850" }, { "db": "PACKETSTORM", "id": "154672" }, { "db": "PACKETSTORM", "id": "154793" }, { "db": "PACKETSTORM", "id": "156941" }, { "db": "CNNVD", "id": "CNNVD-201907-1345" }, { "db": "NVD", "id": "CVE-2019-10184" } ] }, "id": "VAR-201907-1547", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2019-24570" } ], "trust": 1.6 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-24570" } ] }, "last_update_date": "2024-07-23T19:38:13.489000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "[UNDERTOW-1578] 401 Unauthorized should be returned when requesting a protected directory without trailing slash #794", "trust": 0.8, "url": "https://github.com/undertow-io/undertow/pull/794" }, { "title": "Bug 1713068", "trust": 0.8, "url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-10184" }, { "title": "Patch for RedHatUndertow Information Disclosure Vulnerability (CNVD-2019-24570)", "trust": 0.6, "url": "https://www.cnvd.org.cn/patchinfo/show/172059" }, { "title": "Red Hat Undertow Repair measures for information disclosure vulnerabilities", "trust": 0.6, "url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=95492" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-24570" }, { "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "db": "CNNVD", "id": "CNNVD-201907-1345" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-862", "trust": 1.0 }, { "problemtype": "CWE-200", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "db": "NVD", "id": "CVE-2019-10184" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.7, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10184" }, { "trust": 2.3, "url": "https://access.redhat.com/errata/rhsa-2019:3046" }, { "trust": 2.3, "url": "https://access.redhat.com/errata/rhsa-2019:3044" }, { "trust": 2.3, "url": "https://access.redhat.com/errata/rhsa-2019:2938" }, { "trust": 2.3, "url": "https://access.redhat.com/errata/rhsa-2019:3050" }, { "trust": 2.3, "url": "https://access.redhat.com/errata/rhsa-2019:2935" }, { "trust": 2.2, "url": "https://access.redhat.com/errata/rhsa-2019:2937" }, { "trust": 2.2, "url": "https://access.redhat.com/errata/rhsa-2019:2936" }, { "trust": 2.2, "url": "https://access.redhat.com/errata/rhsa-2019:3045" }, { "trust": 1.7, "url": "https://access.redhat.com/errata/rhsa-2019:2998" }, { "trust": 1.6, "url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-10184" }, { "trust": 1.6, "url": "https://access.redhat.com/errata/rhsa-2020:0727" }, { "trust": 1.6, "url": "https://github.com/undertow-io/undertow/pull/794" }, { "trust": 1.6, "url": "https://security.netapp.com/advisory/ntap-20220210-0016/" }, { "trust": 0.8, "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-10184" }, { "trust": 0.7, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14379" }, { "trust": 0.7, "url": "https://access.redhat.com/security/cve/cve-2019-10184" }, { "trust": 0.7, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.7, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.7, "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.7, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.7, "url": "https://access.redhat.com/security/cve/cve-2019-14379" }, { "trust": 0.6, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12086" }, { "trust": 0.6, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12814" }, { "trust": 0.6, "url": "https://access.redhat.com/security/cve/cve-2019-12814" }, { "trust": 0.6, "url": "https://access.redhat.com/security/cve/cve-2019-12086" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/undertow-information-disclosure-via-trailing-slashes-30482" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2019.3805/" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/154793/red-hat-security-advisory-2019-2998-01.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.0832/" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.1076/" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/156628/red-hat-security-advisory-2020-0727-01.html" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/156941/red-hat-security-advisory-2020-0983-01.html" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/154665/red-hat-security-advisory-2019-2937-01.html" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2019.3672/" }, { "trust": 0.5, "url": "https://issues.jboss.org/):" }, { "trust": 0.4, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12384" }, { "trust": 0.4, "url": "https://access.redhat.com/security/cve/cve-2019-12384" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2019-14832" }, { "trust": 0.3, "url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/" }, { "trust": 0.3, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2019-14820" }, { "trust": 0.3, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14832" }, { "trust": 0.3, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14820" }, { "trust": 0.3, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.3, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10212" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2019-10212" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2019-10202" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10202" }, { "trust": 0.2, "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/" }, { "trust": 0.2, "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2019-3888" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3888" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform\u0026downloadtype=securitypatches\u0026version=7.2" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=core.service.rhsso\u0026downloadtype=securitypatches\u0026version=7.3" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3868" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product\\xcatrhoar.thorntail\u0026version=2.5.0" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3868" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html/release_notes_for_thorntail_2/" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9513" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9514" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9517" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10174" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2015-9251" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9515" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11771" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-5427" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9512" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9514" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-12422" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9517" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9515" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2017-5929" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12422" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14439" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9516" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9518" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11272" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-17570" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9513" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-17570" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.6.0" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2017-5929" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-11771" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-14439" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3802" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9512" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-15756" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-5427" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-15756" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2015-9251" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2017-16012" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-10174" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-11272" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9516" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3802" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9518" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2017-16012" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:0983" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2019-24570" }, { "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "db": "PACKETSTORM", "id": "154845" }, { "db": "PACKETSTORM", "id": "154843" }, { "db": "PACKETSTORM", "id": "154687" }, { "db": "PACKETSTORM", "id": "154850" }, { "db": "PACKETSTORM", "id": "154672" }, { "db": "PACKETSTORM", "id": "154793" }, { "db": "PACKETSTORM", "id": "156941" }, { "db": "CNNVD", "id": "CNNVD-201907-1345" }, { "db": "NVD", "id": "CVE-2019-10184" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2019-24570" }, { "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "db": "PACKETSTORM", "id": "154845" }, { "db": "PACKETSTORM", "id": "154843" }, { "db": "PACKETSTORM", "id": "154687" }, { "db": "PACKETSTORM", "id": "154850" }, { "db": "PACKETSTORM", "id": "154672" }, { "db": "PACKETSTORM", "id": "154793" }, { "db": "PACKETSTORM", "id": "156941" }, { "db": "CNNVD", "id": "CNNVD-201907-1345" }, { "db": "NVD", "id": "CVE-2019-10184" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2019-07-29T00:00:00", "db": "CNVD", "id": "CNVD-2019-24570" }, { "date": "2019-08-05T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "date": "2019-10-14T23:03:33", "db": "PACKETSTORM", "id": "154845" }, { "date": "2019-10-14T20:22:22", "db": "PACKETSTORM", "id": "154843" }, { "date": "2019-09-30T18:22:22", "db": "PACKETSTORM", "id": "154687" }, { "date": "2019-10-15T00:11:31", "db": "PACKETSTORM", "id": "154850" }, { "date": "2019-09-30T18:22:22", "db": "PACKETSTORM", "id": "154672" }, { "date": "2019-10-10T14:44:58", "db": "PACKETSTORM", "id": "154793" }, { "date": "2020-03-27T13:16:40", "db": "PACKETSTORM", "id": "156941" }, { "date": "2019-07-25T00:00:00", "db": "CNNVD", "id": "CNNVD-201907-1345" }, { "date": "2019-07-25T21:15:11.473000", "db": "NVD", "id": "CVE-2019-10184" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2019-07-29T00:00:00", "db": "CNVD", "id": "CNVD-2019-24570" }, { "date": "2019-08-05T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-007209" }, { "date": "2022-03-10T00:00:00", "db": "CNNVD", "id": "CNNVD-201907-1345" }, { "date": "2022-02-20T06:11:42.433000", "db": "NVD", "id": "CVE-2019-10184" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-201907-1345" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "undertow Vulnerable to information disclosure", "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-007209" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "code execution", "sources": [ { "db": "PACKETSTORM", "id": "154845" }, { "db": "PACKETSTORM", "id": "154843" }, { "db": "PACKETSTORM", "id": "154687" }, { "db": "PACKETSTORM", "id": "154850" }, { "db": "PACKETSTORM", "id": "154672" }, { "db": "PACKETSTORM", "id": "154793" } ], "trust": 0.6 } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.