var-202103-0062
Vulnerability from variot
A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable. plural Red Hat Product Is vulnerable to a resource exhaustion.Denial of service (DoS) It may be put into a state. Red Hat Undertow is a Java-based embedded Web server of Red Hat (Red Hat), the default Web server of Wildfly (Java application server).
The HttpOpenListener in Red Hat Undertow has a resource management error vulnerability, which stems from the fact that the remote connection will always remain connected. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Security Fix(es):
-
libquartz: XXE attacks via job description (CVE-2019-13990)
-
jetty: double release of resource can lead to information disclosure (CVE-2019-17638)
-
keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)
-
springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)
-
wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
-
camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution (CVE-2020-11972)
-
camel: Netty enables Java deserialization by default which could leed to remote code execution (CVE-2020-11973)
-
shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass (CVE-2020-11989)
-
camel: server-side template injection and arbitrary file disclosure on templating components (CVE-2020-11994)
-
postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)
-
shiro: specially crafted HTTP request may cause an authentication bypass (CVE-2020-13933)
-
RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)
-
jackson-modules-java8: DoS due to an Improper Input Validation (CVE-2018-1000873)
-
thrift: Endless loop when feed with specific input data (CVE-2019-0205)
-
thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
-
mysql-connector-java: privilege escalation in MySQL connector (CVE-2019-2692)
-
spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3773)
-
spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3774)
-
codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)
-
hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
-
org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library (CVE-2019-11777)
-
cxf: does not restrict the number of message attachments (CVE-2019-12406)
-
cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)
-
hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
-
batik: SSRF via "xlink:href" (CVE-2019-17566)
-
Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)
-
Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)
-
apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)
-
cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)
-
tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers (CVE-2020-9489)
-
dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
-
netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)
-
camel: DNS Rebinding in JMX Connector could result in remote command execution (CVE-2020-11971)
-
karaf: A remote client could create MBeans from arbitrary URLs (CVE-2020-11980)
-
tika: excessive memory usage in PSDParser (CVE-2020-1950)
-
log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Installation instructions are available from the Fuse 7.8.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/
- Bugs fixed (https://bugzilla.redhat.com/):
1665601 - CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation 1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM 1670593 - CVE-2019-3773 spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources 1670597 - CVE-2019-3774 spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources 1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser 1703402 - CVE-2019-2692 mysql-connector-java: privilege escalation in MySQL connector 1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution 1731271 - CVE-2019-10202 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities 1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1780445 - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely 1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain 1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId 1799475 - CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application 1801149 - CVE-2019-13990 libquartz: XXE attacks via job description 1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation 1816170 - CVE-2019-12406 cxf: does not restrict the number of message attachments 1816216 - CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes 1822759 - CVE-2020-1950 tika: excessive memory usage in PSDParser 1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender 1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans 1848126 - CVE-2020-1960 apache-flink: JMX information disclosure vulnerability 1848433 - CVE-2020-11971 camel: DNS Rebinding in JMX Connector could result in remote command execution 1848464 - CVE-2020-11972 camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution 1848465 - CVE-2020-11973 camel: Netty enables Java deserialization by default which could leed to remote code execution 1848617 - CVE-2019-17566 batik: SSRF via "xlink:href" 1850042 - CVE-2020-9489 tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers 1850069 - CVE-2020-11989 shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass 1850450 - CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs 1852985 - CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML 1855786 - CVE-2020-11994 camel: server-side template injection and arbitrary file disclosure on templating components 1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS 1864680 - CVE-2019-17638 jetty: double release of resource can lead to information disclosure 1869860 - CVE-2020-13933 shiro: specially crafted HTTP request may cause an authentication bypass 1879743 - CVE-2019-11777 org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library
- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: EAP Continuous Delivery Technical Preview Release 18 security update Advisory ID: RHSA-2020:2565-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2565 Issue date: 2020-06-15 CVE Names: CVE-2019-3805 CVE-2019-9511 CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-14838 CVE-2019-19343 CVE-2020-11619 CVE-2020-11620 ==================================================================== 1. Summary:
This is a security update for JBoss EAP Continuous Delivery 18.0.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat JBoss Enterprise Application Platform CD18 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform CD18 includes bug fixes and enhancements.
Security Fix(es):
- jackson-databind: Serialization gadgets in org.springframework:spring-aop (CVE-2020-11619)
- jackson-databind: Serialization gadgets in commons-jelly:commons-jelly (CVE-2020-11620)
- wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)
- undertow: HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)
- undertow: HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)
- undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)
- undertow: HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
- wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default (CVE-2019-14838)
- undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
You must restart the JBoss server process for the update to take effect.
The References section of this erratum contains a download link (you must log in to download the update)
- Bugs fixed (https://bugzilla.redhat.com/):
1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth 1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service 1751227 - CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default 1780445 - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely 1826798 - CVE-2020-11620 jackson-databind: Serialization gadgets in commons-jelly:commons-jelly 1826805 - CVE-2020-11619 jackson-databind: Serialization gadgets in org.springframework:spring-aop
- References:
https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2019-9511 https://access.redhat.com/security/cve/CVE-2019-9512 https://access.redhat.com/security/cve/CVE-2019-9514 https://access.redhat.com/security/cve/CVE-2019-9515 https://access.redhat.com/security/cve/CVE-2019-14838 https://access.redhat.com/security/cve/CVE-2019-19343 https://access.redhat.com/security/cve/CVE-2020-11619 https://access.redhat.com/security/cve/CVE-2020-11620 https://access.redhat.com/security/updates/classification/#important
- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXueq39zjgjWX9erEAQiVvw//WMAI8AuJgNj6ocD8JJbETwuAlv3Qjc2n iZ29Nu4o7hQTR9GLyLu7f4Tcn9gzRfLUXFR4Ly0KknHTOluRcmYatf4pT1yM+1/Z MP3SyS/HScdxvoKybcz0LgzT6D5HpfkskB49QYEQNI4TnWz88fKpET/fQc/kDUGS mJ4EKGcZdYFzCHo2vuK28WCd1e612Dg2MSv7jfctJltwQQunJTsovKJdyFOaIUsV U8GdYj8TL3PlARInizUioB/UA7tReRhkg97jjzQBqQXHUfNnwr3kSMHAWrANnvGx m+1B+QLVdcT+22OvsXgdlksK4ceOleSFJ77kiIcuU9PSQ/FRArigDKrj5DQIUfjY yG7xOE0h9AlMeoQUhyWikG0ZyYJ+v+S85cquWPZZiWuXesht8XAlyYpba1sz+Tuj g/ASXhlUl9WRSAKIe6ijqNasi5vcs4kNnpcKJv4DZe+cJSLtU/QE9P7FUmXxJPuE 2MTonbkWRLtEAcOx6An0pJAQRGStqCCYd4hOP2KWcUgTe1rxbkidyq0ggo5LsRpT +03VNDjJqkTBwTVc1OPEqCZYu4aa+45NJNDPwwiuse1BW0vw41SCoRDHe7QiWNrn 27CK6VcWpjJKybVLzKxkIas6MUJISdp7KAES5NgrKo/R3V3ycZCd2RJP0Ib8oevO s+d7FrCZsfA=ZGb7 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202103-0062", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "jboss-remoting", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "5.0.14" }, { "model": "jboss enterprise application platform", "scope": "lt", "trust": 1.0, "vendor": "redhat", "version": "7.2.4" }, { "model": "undertow", "scope": "eq", "trust": 1.0, "vendor": "redhat", "version": "2.0.25" }, { "model": "undertow", "scope": "lt", "trust": 1.0, "vendor": "redhat", "version": "2.0.25" }, { "model": "active iq unified manager", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "jboss-remoting", "scope": "lt", "trust": 1.0, "vendor": "redhat", "version": "5.0.14" }, { "model": "jboss enterprise application platform", "scope": null, "trust": 0.8, "vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8", "version": null }, { "model": "undertow", "scope": "eq", "trust": 0.8, "vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8", "version": "2.0.25.sp1" }, { "model": "jboss-remoting", "scope": null, "trust": 0.8, "vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8", "version": null }, { "model": "hat jboss remoting", "scope": "lte", "trust": 0.6, "vendor": "red", "version": "\u003c=5.0.14" }, { "model": "hat undertow", "scope": "lte", "trust": 0.6, "vendor": "red", "version": "\u003c=2.0.25" }, { "model": "hat jboss enterprise application platform", "scope": "lt", "trust": 0.6, "vendor": "red", "version": "7.2.4" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-25685" }, { "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "db": "NVD", "id": "CVE-2019-19343" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:jboss-remoting:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "5.0.14", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss-remoting:5.0.14:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "7.2.4", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.0.25", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:undertow:2.0.25:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vsphere:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2019-19343" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "160562" }, { "db": "PACKETSTORM", "id": "158095" }, { "db": "CNNVD", "id": "CNNVD-202006-1060" } ], "trust": 0.8 }, "cve": "CVE-2019-19343", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "Partial", "baseScore": 5.0, "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2019-19343", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "CNVD", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "exploitabilityScore": 10.0, "id": "CNVD-2021-25685", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.6, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "NVD", "availabilityImpact": "High", "baseScore": 7.5, "baseSeverity": "High", "confidentialityImpact": "None", "exploitabilityScore": null, "id": "CVE-2019-19343", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2019-19343", "trust": 1.8, "value": "HIGH" }, { "author": "CNVD", "id": "CNVD-2021-25685", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202006-1060", "trust": 0.6, "value": "HIGH" }, { "author": "VULMON", "id": "CVE-2019-19343", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-25685" }, { "db": "VULMON", "id": "CVE-2019-19343" }, { "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "db": "NVD", "id": "CVE-2019-19343" }, { "db": "CNNVD", "id": "CNNVD-202006-1060" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable. plural Red Hat Product Is vulnerable to a resource exhaustion.Denial of service (DoS) It may be put into a state. Red Hat Undertow is a Java-based embedded Web server of Red Hat (Red Hat), the default Web server of Wildfly (Java application server). \n\r\n\r\nThe HttpOpenListener in Red Hat Undertow has a resource management error vulnerability, which stems from the fact that the remote connection will always remain connected. \nThe purpose of this text-only errata is to inform you about the security\nissues fixed in this release. \n\nSecurity Fix(es):\n\n* libquartz: XXE attacks via job description (CVE-2019-13990)\n\n* jetty: double release of resource can lead to information disclosure\n(CVE-2019-17638)\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code\nExecution (CVE-2020-1714)\n\n* springframework: RFD attack via Content-Disposition Header sourced from\nrequest input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)\n\n* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans\n(CVE-2020-10740)\n\n* camel: RabbitMQ enables Java deserialization by default which could leed\nto remote code execution (CVE-2020-11972)\n\n* camel: Netty enables Java deserialization by default which could leed to\nremote code execution (CVE-2020-11973)\n\n* shiro: spring dynamic controllers, a specially crafted request may cause\nan authentication bypass (CVE-2020-11989)\n\n* camel: server-side template injection and arbitrary file disclosure on\ntemplating components (CVE-2020-11994)\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML\n(CVE-2020-13692)\n\n* shiro: specially crafted HTTP request may cause an authentication bypass\n(CVE-2020-13933)\n\n* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)\n\n* jackson-modules-java8: DoS due to an Improper Input Validation\n(CVE-2018-1000873)\n\n* thrift: Endless loop when feed with specific input data (CVE-2019-0205)\n\n* thrift: Out-of-bounds read related to TJSONProtocol or\nTSimpleJSONProtocol (CVE-2019-0210)\n\n* mysql-connector-java: privilege escalation in MySQL connector\n(CVE-2019-2692)\n\n* spring-ws: XML External Entity Injection (XXE) when receiving XML data\nfrom untrusted sources (CVE-2019-3773)\n\n* spring-batch: XML External Entity Injection (XXE) when receiving XML data\nfrom untrusted sources (CVE-2019-3774)\n\n* codehaus: incomplete fix for unsafe deserialization in jackson-databind\nvulnerabilities (CVE-2019-10202)\n\n* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)\n\n* org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT\nlibrary (CVE-2019-11777)\n\n* cxf: does not restrict the number of message attachments (CVE-2019-12406)\n\n* cxf: OpenId Connect token service does not properly validate the clientId\n(CVE-2019-12423)\n\n* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)\n\n* batik: SSRF via \"xlink:href\" (CVE-2019-17566)\n\n* Undertow: Memory Leak in Undertow HttpOpenListener due to holding\nremoting connections indefinitely (CVE-2019-19343)\n\n* Wildfly: EJBContext principal is not popped back after invoking another\nEJB using a different Security Domain (CVE-2020-1719)\n\n* apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)\n\n* cryptacular: excessive memory allocation during a decode operation\n(CVE-2020-7226)\n\n* tika-core: Denial of Service Vulnerabilities in Some of Apache Tika\u0027s\nParsers (CVE-2020-9489)\n\n* dom4j: XML External Entity vulnerability in default SAX parser\n(CVE-2020-10683)\n\n* netty: compression/decompression codecs don\u0027t enforce limits on buffer\nallocation sizes (CVE-2020-11612)\n\n* camel: DNS Rebinding in JMX Connector could result in remote command\nexecution (CVE-2020-11971)\n\n* karaf: A remote client could create MBeans from arbitrary URLs\n(CVE-2020-11980)\n\n* tika: excessive memory usage in PSDParser (CVE-2020-1950)\n\n* log4j: improper validation of certificate with host mismatch in SMTP\nappender (CVE-2020-9488)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nInstallation instructions are available from the Fuse 7.8.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1665601 - CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation\n1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM\n1670593 - CVE-2019-3773 spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources\n1670597 - CVE-2019-3774 spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources\n1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser\n1703402 - CVE-2019-2692 mysql-connector-java: privilege escalation in MySQL connector\n1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution\n1731271 - CVE-2019-10202 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities\n1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS\n1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol\n1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data\n1780445 - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely\n1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain\n1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId\n1799475 - CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application\n1801149 - CVE-2019-13990 libquartz: XXE attacks via job description\n1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation\n1816170 - CVE-2019-12406 cxf: does not restrict the number of message attachments\n1816216 - CVE-2020-11612 netty: compression/decompression codecs don\u0027t enforce limits on buffer allocation sizes\n1822759 - CVE-2020-1950 tika: excessive memory usage in PSDParser\n1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender\n1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans\n1848126 - CVE-2020-1960 apache-flink: JMX information disclosure vulnerability\n1848433 - CVE-2020-11971 camel: DNS Rebinding in JMX Connector could result in remote command execution\n1848464 - CVE-2020-11972 camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution\n1848465 - CVE-2020-11973 camel: Netty enables Java deserialization by default which could leed to remote code execution\n1848617 - CVE-2019-17566 batik: SSRF via \"xlink:href\"\n1850042 - CVE-2020-9489 tika-core: Denial of Service Vulnerabilities in Some of Apache Tika\u0027s Parsers\n1850069 - CVE-2020-11989 shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass\n1850450 - CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs\n1852985 - CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML\n1855786 - CVE-2020-11994 camel: server-side template injection and arbitrary file disclosure on templating components\n1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS\n1864680 - CVE-2019-17638 jetty: double release of resource can lead to information disclosure\n1869860 - CVE-2020-13933 shiro: specially crafted HTTP request may cause an authentication bypass\n1879743 - CVE-2019-11777 org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library\n\n5. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: EAP Continuous Delivery Technical Preview Release 18 security update\nAdvisory ID: RHSA-2020:2565-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:2565\nIssue date: 2020-06-15\nCVE Names: CVE-2019-3805 CVE-2019-9511 CVE-2019-9512\n CVE-2019-9514 CVE-2019-9515 CVE-2019-14838\n CVE-2019-19343 CVE-2020-11619 CVE-2020-11620\n====================================================================\n1. Summary:\n\nThis is a security update for JBoss EAP Continuous Delivery 18.0. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat JBoss Enterprise Application Platform CD18 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform CD18 includes\nbug fixes and enhancements. \n\nSecurity Fix(es):\n\n* jackson-databind: Serialization gadgets in org.springframework:spring-aop\n(CVE-2020-11619)\n* jackson-databind: Serialization gadgets in commons-jelly:commons-jelly\n(CVE-2020-11620)\n* wildfly: Race condition on PID file allows for termination of arbitrary\nprocesses by local users (CVE-2019-3805)\n* undertow: HTTP/2: large amount of data requests leads to denial of\nservice (CVE-2019-9511)\n* undertow: HTTP/2: flood using HEADERS frames results in unbounded memory\ngrowth (CVE-2019-9514)\n* undertow: HTTP/2: flood using SETTINGS frames results in unbounded memory\ngrowth (CVE-2019-9515)\n* undertow: HTTP/2: flood using PING frames results in unbounded memory\ngrowth (CVE-2019-9512)\n* wildfly-core: Incorrect privileges for \u0027Monitor\u0027, \u0027Auditor\u0027 and\n\u0027Deployer\u0027 user by default (CVE-2019-14838)\n* undertow: Memory Leak in Undertow HttpOpenListener due to holding\nremoting connections indefinitely (CVE-2019-19343)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. \n\nYou must restart the JBoss server process for the update to take effect. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update)\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users\n1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth\n1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth\n1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth\n1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service\n1751227 - CVE-2019-14838 wildfly-core: Incorrect privileges for \u0027Monitor\u0027, \u0027Auditor\u0027 and \u0027Deployer\u0027 user by default\n1780445 - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely\n1826798 - CVE-2020-11620 jackson-databind: Serialization gadgets in commons-jelly:commons-jelly\n1826805 - CVE-2020-11619 jackson-databind: Serialization gadgets in org.springframework:spring-aop\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2019-3805\nhttps://access.redhat.com/security/cve/CVE-2019-9511\nhttps://access.redhat.com/security/cve/CVE-2019-9512\nhttps://access.redhat.com/security/cve/CVE-2019-9514\nhttps://access.redhat.com/security/cve/CVE-2019-9515\nhttps://access.redhat.com/security/cve/CVE-2019-14838\nhttps://access.redhat.com/security/cve/CVE-2019-19343\nhttps://access.redhat.com/security/cve/CVE-2020-11619\nhttps://access.redhat.com/security/cve/CVE-2020-11620\nhttps://access.redhat.com/security/updates/classification/#important\n\n6. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXueq39zjgjWX9erEAQiVvw//WMAI8AuJgNj6ocD8JJbETwuAlv3Qjc2n\niZ29Nu4o7hQTR9GLyLu7f4Tcn9gzRfLUXFR4Ly0KknHTOluRcmYatf4pT1yM+1/Z\nMP3SyS/HScdxvoKybcz0LgzT6D5HpfkskB49QYEQNI4TnWz88fKpET/fQc/kDUGS\nmJ4EKGcZdYFzCHo2vuK28WCd1e612Dg2MSv7jfctJltwQQunJTsovKJdyFOaIUsV\nU8GdYj8TL3PlARInizUioB/UA7tReRhkg97jjzQBqQXHUfNnwr3kSMHAWrANnvGx\nm+1B+QLVdcT+22OvsXgdlksK4ceOleSFJ77kiIcuU9PSQ/FRArigDKrj5DQIUfjY\nyG7xOE0h9AlMeoQUhyWikG0ZyYJ+v+S85cquWPZZiWuXesht8XAlyYpba1sz+Tuj\ng/ASXhlUl9WRSAKIe6ijqNasi5vcs4kNnpcKJv4DZe+cJSLtU/QE9P7FUmXxJPuE\n2MTonbkWRLtEAcOx6An0pJAQRGStqCCYd4hOP2KWcUgTe1rxbkidyq0ggo5LsRpT\n+03VNDjJqkTBwTVc1OPEqCZYu4aa+45NJNDPwwiuse1BW0vw41SCoRDHe7QiWNrn\n27CK6VcWpjJKybVLzKxkIas6MUJISdp7KAES5NgrKo/R3V3ycZCd2RJP0Ib8oevO\ns+d7FrCZsfA=ZGb7\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n", "sources": [ { "db": "NVD", "id": "CVE-2019-19343" }, { "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "db": "CNVD", "id": "CNVD-2021-25685" }, { "db": "VULMON", "id": "CVE-2019-19343" }, { "db": "PACKETSTORM", "id": "160562" }, { "db": "PACKETSTORM", "id": "158095" } ], "trust": 2.43 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2019-19343", "trust": 3.3 }, { "db": "PACKETSTORM", "id": "158095", "trust": 1.3 }, { "db": "AUSCERT", "id": "ESB-2020.2071", "trust": 1.2 }, { "db": "JVNDB", "id": "JVNDB-2019-016231", "trust": 0.8 }, { "db": "PACKETSTORM", "id": "160562", "trust": 0.7 }, { "db": "CNVD", "id": "CNVD-2021-25685", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2020.4464", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202006-1060", "trust": 0.6 }, { "db": "VULMON", "id": "CVE-2019-19343", "trust": 0.1 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-25685" }, { "db": "VULMON", "id": "CVE-2019-19343" }, { "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "db": "PACKETSTORM", "id": "160562" }, { "db": "PACKETSTORM", "id": "158095" }, { "db": "NVD", "id": "CVE-2019-19343" }, { "db": "CNNVD", "id": "CNNVD-202006-1060" } ] }, "id": "VAR-202103-0062", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "CNVD", "id": "CNVD-2021-25685" } ], "trust": 1.6 }, "iot_taxonomy": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "category": [ "Network device" ], "sub_category": null, "trust": 0.6 } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-25685" } ] }, "last_update_date": "2023-12-18T11:15:08.210000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Bug\u00a01780445", "trust": 0.8, "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1780445" }, { "title": "Debian CVElist Bug Report Logs: undertow: CVE-2019-19343", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=dc1c048491658cc35a54fe584492512e" }, { "title": "Red Hat: Important: EAP Continuous Delivery Technical Preview Release 18 security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202565 - security advisory" }, { "title": "Red Hat: Important: Red Hat Fuse 7.8.0 release and security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20205568 - security advisory" } ], "sources": [ { "db": "VULMON", "id": "CVE-2019-19343" }, { "db": "JVNDB", "id": "JVNDB-2019-016231" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-404", "trust": 1.0 }, { "problemtype": "Resource exhaustion (CWE-400) [NVD Evaluation ]", "trust": 0.8 } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "db": "NVD", "id": "CVE-2019-19343" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.7, "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1780445" }, { "trust": 1.7, "url": "https://issues.redhat.com/browse/jbeap-16695" }, { "trust": 1.6, "url": "https://security.netapp.com/advisory/ntap-20220211-0002/" }, { "trust": 1.2, "url": "https://www.auscert.org.au/bulletins/esb-2020.2071/" }, { "trust": 1.2, "url": "https://packetstormsecurity.com/files/158095/red-hat-security-advisory-2020-2565-01.html" }, { "trust": 1.0, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-19343" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/160562/red-hat-security-advisory-2020-5568-01.html" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/undertow-memory-leak-via-httpopenlistener-34925" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2020.4464/" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.2, "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.2, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2019-19343" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/400.html" }, { "trust": 0.1, "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948024" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-1719" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.8.0" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12406" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11973" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11972" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-2692" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-9488" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000873" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11989" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-10740" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-17566" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-13990" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11980" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11972" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-1950" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-12406" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11989" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3774" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-0210" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11612" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11980" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-1960" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-0205" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-1393" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11971" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-17566" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2018-1000873" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-7226" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10219" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-9489" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-14326" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-13692" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14900" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-0210" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-10202" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10202" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-10683" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-13990" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3773" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-13692" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-10683" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11994" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-10219" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11973" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-1714" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-5398" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11777" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-14900" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-13933" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-12423" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3774" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-10740" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11612" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-17638" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12423" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-17638" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-2692" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11994" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11971" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:5568" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3773" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-0205" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-11777" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9511" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9514" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9515" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11620" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9511" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9512" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9514" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-14838" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-9515" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11619" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:2565" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11619" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-11620" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9512" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14838" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2019-3805" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3805" } ], "sources": [ { "db": "CNVD", "id": "CNVD-2021-25685" }, { "db": "VULMON", "id": "CVE-2019-19343" }, { "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "db": "PACKETSTORM", "id": "160562" }, { "db": "PACKETSTORM", "id": "158095" }, { "db": "NVD", "id": "CVE-2019-19343" }, { "db": "CNNVD", "id": "CNNVD-202006-1060" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "CNVD", "id": "CNVD-2021-25685" }, { "db": "VULMON", "id": "CVE-2019-19343" }, { "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "db": "PACKETSTORM", "id": "160562" }, { "db": "PACKETSTORM", "id": "158095" }, { "db": "NVD", "id": "CVE-2019-19343" }, { "db": "CNNVD", "id": "CNNVD-202006-1060" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-04-08T00:00:00", "db": "CNVD", "id": "CNVD-2021-25685" }, { "date": "2021-03-23T00:00:00", "db": "VULMON", "id": "CVE-2019-19343" }, { "date": "2021-12-01T00:00:00", "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "date": "2020-12-16T18:17:52", "db": "PACKETSTORM", "id": "160562" }, { "date": "2020-06-16T00:54:44", "db": "PACKETSTORM", "id": "158095" }, { "date": "2021-03-23T21:15:13.417000", "db": "NVD", "id": "CVE-2019-19343" }, { "date": "2020-06-16T00:00:00", "db": "CNNVD", "id": "CNNVD-202006-1060" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-04-08T00:00:00", "db": "CNVD", "id": "CNVD-2021-25685" }, { "date": "2021-03-26T00:00:00", "db": "VULMON", "id": "CVE-2019-19343" }, { "date": "2021-12-01T03:23:00", "db": "JVNDB", "id": "JVNDB-2019-016231" }, { "date": "2022-05-03T13:05:02.290000", "db": "NVD", "id": "CVE-2019-19343" }, { "date": "2022-05-05T00:00:00", "db": "CNNVD", "id": "CNNVD-202006-1060" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "PACKETSTORM", "id": "160562" }, { "db": "CNNVD", "id": "CNNVD-202006-1060" } ], "trust": 0.7 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "plural \u00a0Red\u00a0Hat\u00a0 Resource depletion vulnerability in the product", "sources": [ { "db": "JVNDB", "id": "JVNDB-2019-016231" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "resource management error", "sources": [ { "db": "CNNVD", "id": "CNNVD-202006-1060" } ], "trust": 0.6 } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.