Vulnerabilites related to netapp - bluexp
cve-2022-42889
Vulnerability from cvelistv5
Published
2022-10-13 00:00
Modified
2024-11-20 16:19
Severity ?
EPSS score ?
Summary
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Text |
Version: unspecified < Version: 1.5 < Apache Commons Text* |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T13:19:05.212Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { name: "[oss-security] 20221013 CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/4", }, { name: "[oss-security] 20221017 Re: CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/10/18/1", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20221020-0004/", }, { tags: [ "x_transferred", ], url: "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022", }, { name: "GLSA-202301-05", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/202301-05", }, { name: "20230214 OXAS-ADV-2022-0002: OX App Suite Security Advisory", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2023/Feb/3", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html", }, { tags: [ "x_transferred", ], url: "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2022-42889", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-01-24T16:22:10.690380Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-11-20T16:19:41.416Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Apache Commons Text", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "1.9", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "Apache Commons Text*", status: "affected", version: "1.5", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en", value: "Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.", }, ], metrics: [ { other: { content: { other: "important", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { description: "Unexpected variable interpolation", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-19T16:06:47.362105", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { name: "[oss-security] 20221013 CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/4", }, { name: "[oss-security] 20221017 Re: CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/10/18/1", }, { url: "https://security.netapp.com/advisory/ntap-20221020-0004/", }, { url: "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022", }, { name: "GLSA-202301-05", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/202301-05", }, { name: "20230214 OXAS-ADV-2022-0002: OX App Suite Security Advisory", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2023/Feb/3", }, { url: "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html", }, { url: "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html", }, ], source: { discovery: "UNKNOWN", }, title: "Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults", workarounds: [ { lang: "en", value: "Upgrade to Apache Commons Text 1.10.0.", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-42889", datePublished: "2022-10-13T00:00:00", dateReserved: "2022-10-12T00:00:00", dateUpdated: "2024-11-20T16:19:41.416Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-21055
Vulnerability from cvelistv5
Published
2024-04-16 21:26
Modified
2025-03-18 15:36
Severity ?
EPSS score ?
Summary
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | MySQL Server |
Version: * < cpe:2.3:a:oracle:mysql_server:8.0.35_and_prior:*:*:*:*:*:*:* |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:13:42.365Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "Oracle Advisory", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2024.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240426-0011/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-21055", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-07T13:51:19.112067Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-18T15:36:36.496Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { cpes: [ "cpe:2.3:a:oracle:mysql_server:8.0.35_and_prior:*:*:*:*:*:*:*", ], product: "MySQL Server", vendor: "Oracle Corporation", versions: [ { lessThanOrEqual: "8.0.35", status: "affected", version: "*", versionType: "custom", }, ], }, ], descriptions: [ { lang: "en-US", value: "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.", lang: "en-US", }, ], }, ], providerMetadata: { dateUpdated: "2024-04-26T09:06:28.319Z", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { name: "Oracle Advisory", tags: [ "vendor-advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2024.html", }, { url: "https://security.netapp.com/advisory/ntap-20240426-0011/", }, ], }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2024-21055", datePublished: "2024-04-16T21:26:16.694Z", dateReserved: "2023-12-07T22:28:10.661Z", dateUpdated: "2025-03-18T15:36:36.496Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-22201
Vulnerability from cvelistv5
Published
2024-02-26 16:13
Modified
2025-02-13 17:33
Severity ?
EPSS score ?
Summary
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jetty | jetty.project |
Version: >= 9.3.0, <= 9.4.53 Version: >= 10.0.0, <= 10.0.19 Version: >= 11.0.0, <= 11.0.19 Version: >= 12.0.0, <= 12.0.5 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T22:35:34.848Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", }, { name: "https://github.com/jetty/jetty.project/issues/11256", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/jetty/jetty.project/issues/11256", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240329-0001/", }, { tags: [ "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html", }, { tags: [ "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2024/03/20/2", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:jetty:jetty.project:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "jetty.project", vendor: "jetty", versions: [ { lessThanOrEqual: "9.4.53", status: "affected", version: "9.3.0", versionType: "custom", }, { lessThanOrEqual: "10.0.19", status: "affected", version: "10.0.0", versionType: "custom", }, { lessThanOrEqual: "11.0.19", status: "affected", version: "11.0.0", versionType: "custom", }, { lessThanOrEqual: "12.0.5", status: "affected", version: "12.0.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-22201", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-04-01T18:49:17.679314Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-28T14:21:40.015Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "jetty.project", vendor: "jetty", versions: [ { status: "affected", version: ">= 9.3.0, <= 9.4.53", }, { status: "affected", version: ">= 10.0.0, <= 10.0.19", }, { status: "affected", version: ">= 11.0.0, <= 11.0.19", }, { status: "affected", version: ">= 12.0.0, <= 12.0.5", }, ], }, ], descriptions: [ { lang: "en", value: "Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-01T18:08:05.942Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", }, { name: "https://github.com/jetty/jetty.project/issues/11256", tags: [ "x_refsource_MISC", ], url: "https://github.com/jetty/jetty.project/issues/11256", }, { url: "https://security.netapp.com/advisory/ntap-20240329-0001/", }, { url: "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html", }, { url: "http://www.openwall.com/lists/oss-security/2024/03/20/2", }, ], source: { advisory: "GHSA-rggv-cv7r-mw98", discovery: "UNKNOWN", }, title: "Jetty connection leaking on idle timeout when TCP congested", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-22201", datePublished: "2024-02-26T16:13:33.848Z", dateReserved: "2024-01-08T04:59:27.371Z", dateUpdated: "2025-02-13T17:33:34.951Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-25111
Vulnerability from cvelistv5
Published
2024-03-06 18:14
Modified
2025-02-13 17:40
Severity ?
EPSS score ?
Summary
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| squid-cache | squid |
Version: >= 3.5.27, < 6.8 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "bluexp", vendor: "netapp", versions: [ { lessThan: "*", status: "affected", version: "0", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:a:squid-cache:squid:3.5.27:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "squid", vendor: "squid-cache", versions: [ { lessThan: "6.8", status: "affected", version: "3.5.27", versionType: "custom", }, ], }, { cpes: [ "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "fedora", vendor: "fedoraproject", versions: [ { status: "affected", version: "38", }, ], }, { cpes: [ "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "fedora", vendor: "fedoraproject", versions: [ { status: "affected", version: "39", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-25111", options: [ { Exploitation: "poc", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-25T16:32:12.720279Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-25T16:34:20.389Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:36:21.702Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc", }, { name: "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch", tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240605-0001/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "squid", vendor: "squid-cache", versions: [ { status: "affected", version: ">= 3.5.27, < 6.8", }, ], }, ], descriptions: [ { lang: "en", value: "Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-674", description: "CWE-674: Uncontrolled Recursion", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-06-10T17:12:09.106Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc", }, { name: "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch", tags: [ "x_refsource_MISC", ], url: "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/", }, { url: "https://security.netapp.com/advisory/ntap-20240605-0001/", }, ], source: { advisory: "GHSA-72c2-c3wm-8qxc", discovery: "UNKNOWN", }, title: "SQUID-2024:1 Denial of Service in HTTP Chunked Decoding", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-25111", datePublished: "2024-03-06T18:14:28.889Z", dateReserved: "2024-02-05T14:14:46.378Z", dateUpdated: "2025-02-13T17:40:47.040Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-25617
Vulnerability from cvelistv5
Published
2024-02-14 20:55
Modified
2025-02-13 17:40
Severity ?
EPSS score ?
Summary
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| squid-cache | squid |
Version: < 6.5 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:44:09.683Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr", }, { name: "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240322-0006/", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "squid", vendor: "squid-cache", versions: [ { lessThan: "6.5", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-25617", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-16T18:04:53.172761Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-16T18:06:08.382Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "squid", vendor: "squid-cache", versions: [ { status: "affected", version: "< 6.5", }, ], }, ], descriptions: [ { lang: "en", value: "Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400: Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-182", description: "CWE-182: Collapse of Data into Unsafe Value", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-03-22T19:06:02.563Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr", }, { name: "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817", tags: [ "x_refsource_MISC", ], url: "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817", }, { url: "https://security.netapp.com/advisory/ntap-20240322-0006/", }, ], source: { advisory: "GHSA-h5x6-w8mv-xfpr", discovery: "UNKNOWN", }, title: "Denial of Service in HTTP Header parser in squid proxy", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2024-25617", datePublished: "2024-02-14T20:55:52.004Z", dateReserved: "2024-02-08T22:26:33.510Z", dateUpdated: "2025-02-13T17:40:50.579Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-21131
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-02-13 17:33
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle Java SE:17.0.11 Version: Oracle Java SE:21.0.3 Version: Oracle Java SE:22.0.1 Version: Oracle GraalVM for JDK:17.0.11 Version: Oracle GraalVM for JDK:21.0.3 Version: Oracle GraalVM for JDK:22.0.1 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-21131", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-17T13:34:16.932375Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { description: "CWE-noinfo Not enough information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-07T17:07:59.694Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:13:42.680Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "Oracle Advisory", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Java SE JDK and JRE", vendor: "Oracle Corporation", versions: [ { status: "affected", version: "Oracle Java SE:8u411", }, { status: "affected", version: "Oracle Java SE:8u411-perf", }, { status: "affected", version: "Oracle Java SE:11.0.23", }, { status: "affected", version: "Oracle Java SE:17.0.11", }, { status: "affected", version: "Oracle Java SE:21.0.3", }, { status: "affected", version: "Oracle Java SE:22.0.1", }, { status: "affected", version: "Oracle GraalVM for JDK:17.0.11", }, { status: "affected", version: "Oracle GraalVM for JDK:21.0.3", }, { status: "affected", version: "Oracle GraalVM for JDK:22.0.1", }, { status: "affected", version: "Oracle GraalVM Enterprise Edition:20.3.14", }, { status: "affected", version: "Oracle GraalVM Enterprise Edition:21.3.10", }, ], }, ], descriptions: [ { lang: "en-US", value: "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.", lang: "en-US", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-19T13:06:06.593Z", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { name: "Oracle Advisory", tags: [ "vendor-advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, ], }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2024-21131", datePublished: "2024-07-16T22:39:53.849Z", dateReserved: "2023-12-07T22:28:10.682Z", dateUpdated: "2025-02-13T17:33:11.353Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-21138
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-03-13 17:09
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle Java SE:17.0.11 Version: Oracle Java SE:21.0.3 Version: Oracle Java SE:22.0.1 Version: Oracle GraalVM for JDK:17.0.11 Version: Oracle GraalVM for JDK:21.0.3 Version: Oracle GraalVM for JDK:22.0.1 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-21138", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-17T13:32:40.581780Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { description: "CWE-noinfo Not enough information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-13T17:09:26.823Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:13:42.697Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "Oracle Advisory", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Java SE JDK and JRE", vendor: "Oracle Corporation", versions: [ { status: "affected", version: "Oracle Java SE:8u411", }, { status: "affected", version: "Oracle Java SE:8u411-perf", }, { status: "affected", version: "Oracle Java SE:11.0.23", }, { status: "affected", version: "Oracle Java SE:17.0.11", }, { status: "affected", version: "Oracle Java SE:21.0.3", }, { status: "affected", version: "Oracle Java SE:22.0.1", }, { status: "affected", version: "Oracle GraalVM for JDK:17.0.11", }, { status: "affected", version: "Oracle GraalVM for JDK:21.0.3", }, { status: "affected", version: "Oracle GraalVM for JDK:22.0.1", }, { status: "affected", version: "Oracle GraalVM Enterprise Edition:20.3.14", }, { status: "affected", version: "Oracle GraalVM Enterprise Edition:21.3.10", }, ], }, ], descriptions: [ { lang: "en-US", value: "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.", lang: "en-US", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-19T13:06:11.463Z", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { name: "Oracle Advisory", tags: [ "vendor-advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, ], }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2024-21138", datePublished: "2024-07-16T22:39:56.205Z", dateReserved: "2023-12-07T22:28:10.682Z", dateUpdated: "2025-03-13T17:09:26.823Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-21145
Vulnerability from cvelistv5
Published
2024-07-16 22:39
Modified
2025-03-13 14:00
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | Java SE JDK and JRE |
Version: Oracle Java SE:8u411 Version: Oracle Java SE:8u411-perf Version: Oracle Java SE:11.0.23 Version: Oracle Java SE:17.0.11 Version: Oracle Java SE:21.0.3 Version: Oracle Java SE:22.0.1 Version: Oracle GraalVM for JDK:17.0.11 Version: Oracle GraalVM for JDK:21.0.3 Version: Oracle GraalVM for JDK:22.0.1 Version: Oracle GraalVM Enterprise Edition:20.3.14 Version: Oracle GraalVM Enterprise Edition:21.3.10 |
{ containers: { adp: [ { metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, { other: { content: { id: "CVE-2024-21145", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-17T13:58:12.588215Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284 Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-03-13T14:00:55.465Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T22:13:42.684Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "Oracle Advisory", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Java SE JDK and JRE", vendor: "Oracle Corporation", versions: [ { status: "affected", version: "Oracle Java SE:8u411", }, { status: "affected", version: "Oracle Java SE:8u411-perf", }, { status: "affected", version: "Oracle Java SE:11.0.23", }, { status: "affected", version: "Oracle Java SE:17.0.11", }, { status: "affected", version: "Oracle Java SE:21.0.3", }, { status: "affected", version: "Oracle Java SE:22.0.1", }, { status: "affected", version: "Oracle GraalVM for JDK:17.0.11", }, { status: "affected", version: "Oracle GraalVM for JDK:21.0.3", }, { status: "affected", version: "Oracle GraalVM for JDK:22.0.1", }, { status: "affected", version: "Oracle GraalVM Enterprise Edition:20.3.14", }, { status: "affected", version: "Oracle GraalVM Enterprise Edition:21.3.10", }, ], }, ], descriptions: [ { lang: "en-US", value: "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.", lang: "en-US", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-19T13:06:08.196Z", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { name: "Oracle Advisory", tags: [ "vendor-advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, ], }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2024-21145", datePublished: "2024-07-16T22:39:58.658Z", dateReserved: "2023-12-07T22:28:10.683Z", dateUpdated: "2025-03-13T14:00:55.465Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2024-02-14 21:15
Modified
2025-01-09 13:51
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| squid-cache | squid | * | |
| netapp | bluexp | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", matchCriteriaId: "D809589D-9661-408B-9A8F-3B878B10518F", versionEndExcluding: "6.5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", matchCriteriaId: "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to a Collapse of Data into Unsafe Value bug ,Squid may be vulnerable to a Denial of Service attack against HTTP header parsing. This problem allows a remote client or a remote server to perform Denial of Service when sending oversized headers in HTTP messages. In versions of Squid prior to 6.5 this can be achieved if the request_header_max_size or reply_header_max_size settings are unchanged from the default. In Squid version 6.5 and later, the default setting of these parameters is safe. Squid will emit a critical warning in cache.log if the administrator is setting these parameters to unsafe values. Squid will not at this time prevent these settings from being changed to unsafe values. Users are advised to upgrade to version 6.5. There are no known workarounds for this vulnerability. This issue is also tracked as SQUID-2024:2 ", }, { lang: "es", value: "Squid es un proxy de almacenamiento en caché de código abierto para la Web que admite HTTP, HTTPS, FTP y más. Debido a un error de colapso de datos en valor inseguro, Squid puede ser vulnerable a un ataque de denegación de servicio contra el análisis de encabezados HTTP. Este problema permite que un cliente remoto o un servidor remoto realice una Denegación de Servicio al enviar encabezados de gran tamaño en mensajes HTTP. En versiones de Squid anteriores a la 6.5, esto se puede lograr si las configuraciones request_header_max_size o Reply_header_max_size no se modifican con respecto a las predeterminadas. En la versión 6.5 y posteriores de Squid, la configuración predeterminada de estos parámetros es segura. Squid emitirá una advertencia crítica en cache.log si el administrador configura estos parámetros en valores no seguros. Squid no impedirá en este momento que estas configuraciones se cambien a valores inseguros. Se recomienda a los usuarios que actualicen a la versión 6.5. No se conocen workarounds para esta vulnerabilidad. Este problema también se rastrea como SQUID-2024:2", }, ], id: "CVE-2024-25617", lastModified: "2025-01-09T13:51:19.633", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-14T21:15:08.197", references: [ { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Third Party Advisory", ], url: "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr", }, { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://security.netapp.com/advisory/ntap-20240322-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/squid-cache/squid/commit/72a3bbd5e431597c3fdb56d752bc56b010ba3817", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/squid-cache/squid/security/advisories/GHSA-h5x6-w8mv-xfpr", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "Vendor Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240322-0006/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-182", }, { lang: "en", value: "CWE-400", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-16 23:15
Modified
2025-03-13 14:15
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | graalvm | 20.3.14 | |
| oracle | graalvm | 21.3.10 | |
| oracle | graalvm | 22.0.1 | |
| oracle | graalvm_for_jdk | 17.0.11 | |
| oracle | graalvm_for_jdk | 21.0.3 | |
| oracle | graalvm_for_jdk | 22.0.1 | |
| oracle | jdk | 1.8.0 | |
| oracle | jdk | 1.8.0 | |
| oracle | jdk | 11.0.23 | |
| oracle | jdk | 17.0.11 | |
| oracle | jdk | 21.0.3 | |
| oracle | jdk | 22.0.1 | |
| oracle | jre | 1.8.0 | |
| oracle | jre | 1.8.0 | |
| oracle | jre | 11.0.23 | |
| oracle | jre | 17.0.11 | |
| oracle | jre | 21.0.3 | |
| oracle | jre | 22.0.1 | |
| netapp | bluexp | - | |
| netapp | cloud_insights_storage_workload_security_agent | - | |
| netapp | oncommand_insight | - | |
| netapp | oncommand_workflow_automation | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:graalvm:20.3.14:*:*:*:enterprise:*:*:*", matchCriteriaId: "AA5074F2-F35B-499E-A181-E272449B044D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:21.3.10:*:*:*:enterprise:*:*:*", matchCriteriaId: "39F28D35-48E1-450D-884A-D2578C99E8EC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:22.0.1:*:*:*:enterprise:*:*:*", matchCriteriaId: "CD50990D-63DE-412F-B370-0568EA8B32FB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "E104024C-15B5-4EFB-A26B-C69D303933CA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "CAEB1A60-678D-4BAF-9D95-43C9DCFC8D68", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "AD14A144-2CA9-498E-84B9-87733E33C602", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:jdk:1.8.0:update411:*:*:-:*:*:*", matchCriteriaId: "B43C161D-E6DE-402A-831E-4F8BB9B75826", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:1.8.0:update411:*:*:enterprise_performance_pack:*:*:*", matchCriteriaId: "54DCB9FD-A3FB-4901-A13F-9064921C77C2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:11.0.23:*:*:*:*:*:*:*", matchCriteriaId: "21F9B73E-696B-4F6B-A019-83A68179E422", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "C52598F8-1859-4007-ABEE-03A463482F4A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "62AE87F9-A4B3-4163-9A19-3E606CF72720", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "3AD2D0EA-694D-4629-A1F7-244C9B154248", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:1.8.0:update411:*:*:-:*:*:*", matchCriteriaId: "9A51F12C-42D0-41BC-A9DB-F2934BA1384B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:1.8.0:update411:*:*:enterprise_performance_pack:*:*:*", matchCriteriaId: "F70BAD0D-1601-4C61-B6B2-1A1DBB48B067", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:11.0.23:*:*:*:*:*:*:*", matchCriteriaId: "49A5200E-E144-4C02-BAAB-8EAF734EEC5F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "47E6B664-D2ED-425F-B27B-3E57278B1C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "06104137-B672-4AB8-AEB4-5AEE95D978FE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F92B7DB4-7E5C-4961-8BB3-D3DF4A833E79", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", matchCriteriaId: "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:cloud_insights_storage_workload_security_agent:-:*:*:*:*:*:*:*", matchCriteriaId: "3B199052-5732-4726-B06B-A12C70DFB891", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", }, { lang: "es", value: "Vulnerabilidad en el producto Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition de Oracle Java SE (componente: 2D). Las versiones compatibles que se ven afectadas son Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM para JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 y 21.3.10. Una vulnerabilidad difícil de explotar permite que un atacante no autenticado con acceso a la red a través de múltiples protocolos comprometa Oracle Java SE, Oracle GraalVM para JDK y Oracle GraalVM Enterprise Edition. Los ataques exitosos de esta vulnerabilidad pueden resultar en acceso no autorizado a actualizaciones, inserción o eliminación de algunos datos accesibles de Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition, así como acceso de lectura no autorizado a un subconjunto de Oracle Java SE, Oracle GraalVM para JDK, datos accesibles de Oracle GraalVM Enterprise Edition. Nota: Esta vulnerabilidad se puede aprovechar utilizando API en el componente especificado, por ejemplo, a través de un servicio web que proporciona datos a las API. Esta vulnerabilidad también se aplica a las implementaciones de Java, normalmente en clientes que ejecutan aplicaciones Java Web Start en un espacio aislado o subprogramas de Java en un espacio aislado, que cargan y ejecutan código que no es de confianza (por ejemplo, código que proviene de Internet) y dependen del entorno limitado de Java para su seguridad. CVSS 3.1 Puntaje base 4.8 (Impactos en la confidencialidad y la integridad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).", }, ], id: "CVE-2024-21145", lastModified: "2025-03-13T14:15:20.360", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 2.5, source: "secalert_us@oracle.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.8, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 2.5, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2024-07-16T23:15:15.993", references: [ { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], sourceIdentifier: "secalert_us@oracle.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-284", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2024-04-16 22:15
Modified
2025-03-18 16:15
Severity ?
Summary
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | mysql | * | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | bluexp | - | |
| netapp | oncommand_insight | - | |
| netapp | oncommand_workflow_automation | - | |
| netapp | snapcenter | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*", matchCriteriaId: "AA4C99CA-6232-4CAF-97EB-39D1B5C815E4", versionEndIncluding: "8.0.35", versionStartIncluding: "8.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", matchCriteriaId: "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).", }, { lang: "es", value: "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Servidor: Optimizador). Las versiones compatibles que se ven afectadas son la 8.0.35 y anteriores. Una vulnerabilidad fácilmente explotable permite que un atacante con altos privilegios y acceso a la red a través de múltiples protocolos comprometa el servidor MySQL. Los ataques exitosos a esta vulnerabilidad pueden resultar en una capacidad no autorizada de provocar un bloqueo o una falla frecuentemente repetible (DOS completo) del servidor MySQL. CVSS 3.1 Puntuación base 4.9 (impactos en la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).", }, ], id: "CVE-2024-21055", lastModified: "2025-03-18T16:15:20.353", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 4.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 3.6, source: "secalert_us@oracle.com", type: "Primary", }, ], }, published: "2024-04-16T22:15:23.010", references: [ { source: "secalert_us@oracle.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240426-0011/", }, { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2024.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240426-0011/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2024.html", }, ], sourceIdentifier: "secalert_us@oracle.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2024-03-06 19:15
Modified
2025-04-10 17:44
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| squid-cache | squid | * | |
| fedoraproject | fedora | 38 | |
| fedoraproject | fedora | 39 | |
| netapp | bluexp | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:squid-cache:squid:*:*:*:*:*:*:*:*", matchCriteriaId: "E44262DC-034E-4721-A653-BA7178370A68", versionEndExcluding: "6.8", versionStartIncluding: "3.5.27", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", matchCriteriaId: "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", matchCriteriaId: "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", matchCriteriaId: "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Squid is a web proxy cache. Starting in version 3.5.27 and prior to version 6.8, Squid may be vulnerable to a Denial of Service attack against HTTP Chunked decoder due to an uncontrolled recursion bug. This problem allows a remote attacker to cause Denial of Service when sending a crafted, chunked, encoded HTTP Message. This bug is fixed in Squid version 6.8. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. There is no workaround for this issue.", }, { lang: "es", value: "Squid es un caché de proxy web. A partir de la versión 3.5.27 y antes de la versión 6.8, Squid puede ser vulnerable a un ataque de denegación de servicio contra el decodificador HTTP fragmentado debido a un error de recursividad no controlado. Este problema permite a un atacante remoto provocar una denegación de servicio al enviar un mensaje HTTP codificado, fragmentado y manipulado. Este error se solucionó en la versión 6.8 de Squid. Además, los parches que solucionan este problema para las versiones estables se pueden encontrar en los archivos de parches de Squid. No hay workaround para este problema.", }, ], id: "CVE-2024-25111", lastModified: "2025-04-10T17:44:48.837", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-03-06T19:15:07.510", references: [ { source: "security-advisories@github.com", tags: [ "Mailing List", "Patch", ], url: "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc", }, { source: "security-advisories@github.com", tags: [ "Mailing List", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/", }, { source: "security-advisories@github.com", tags: [ "Mailing List", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240605-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "http://www.squid-cache.org/Versions/v6/SQUID-2024_1.patch", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/squid-cache/squid/security/advisories/GHSA-72c2-c3wm-8qxc", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7R4KPSO3MQT3KAOZV7LC2GG3CYMCGK7H/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWQHRDRHDM5PQTU6BHH4C5KGL37X6TVI/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240605-0001/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-674", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-674", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-10-13 13:15
Modified
2024-11-21 07:25
Severity ?
Summary
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | commons_text | * | |
| netapp | bluexp | - | |
| juniper | security_threat_response_manager | * | |
| juniper | security_threat_response_manager | 7.5.0 | |
| juniper | security_threat_response_manager | 7.5.0 | |
| juniper | security_threat_response_manager | 7.5.0 | |
| juniper | security_threat_response_manager | 7.5.0 | |
| juniper | jsa1500 | - | |
| juniper | jsa3500 | - | |
| juniper | jsa3800 | - | |
| juniper | jsa5500 | - | |
| juniper | jsa5800 | - | |
| juniper | jsa7500 | - | |
| juniper | jsa7800 | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:commons_text:*:*:*:*:*:*:*:*", matchCriteriaId: "F52B385F-442F-4587-B680-DD74CC525D27", versionEndExcluding: "1.10.0", versionStartIncluding: "1.5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", matchCriteriaId: "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:juniper:security_threat_response_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "334BA50E-637D-42E7-AD73-BC13498D79D0", versionEndExcluding: "7.5.0", vulnerable: true, }, { criteria: "cpe:2.3:a:juniper:security_threat_response_manager:7.5.0:-:*:*:*:*:*:*", matchCriteriaId: "F5745211-E47A-481B-928F-B56013DAC19C", vulnerable: true, }, { criteria: "cpe:2.3:a:juniper:security_threat_response_manager:7.5.0:up1:*:*:*:*:*:*", matchCriteriaId: "1B716977-E015-4628-854B-5828FC3DC150", vulnerable: true, }, { criteria: "cpe:2.3:a:juniper:security_threat_response_manager:7.5.0:up2:*:*:*:*:*:*", matchCriteriaId: "22F53DC6-084C-4C06-9A5C-550511E5CC58", vulnerable: true, }, { criteria: "cpe:2.3:a:juniper:security_threat_response_manager:7.5.0:up3:*:*:*:*:*:*", matchCriteriaId: "41FFF517-DCAC-4CF1-A6D7-29828B037245", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:juniper:jsa1500:-:*:*:*:*:*:*:*", matchCriteriaId: "D6F62545-4393-4FD6-9EF4-3516E8835F58", vulnerable: false, }, { criteria: "cpe:2.3:h:juniper:jsa3500:-:*:*:*:*:*:*:*", matchCriteriaId: "BBF05B6A-B4F6-4F7A-927E-106A8C1E8ED7", vulnerable: false, }, { criteria: "cpe:2.3:h:juniper:jsa3800:-:*:*:*:*:*:*:*", matchCriteriaId: "421FD233-CA15-4207-8690-6A1C4C23BDB8", vulnerable: false, }, { criteria: "cpe:2.3:h:juniper:jsa5500:-:*:*:*:*:*:*:*", matchCriteriaId: "08C686CC-C971-4891-B8F9-9BE4C09B1160", vulnerable: false, }, { criteria: "cpe:2.3:h:juniper:jsa5800:-:*:*:*:*:*:*:*", matchCriteriaId: "9075ED11-DD7E-49E2-90F5-50ACFCD2F4A4", vulnerable: false, }, { criteria: "cpe:2.3:h:juniper:jsa7500:-:*:*:*:*:*:*:*", matchCriteriaId: "57A506DE-88CE-45C9-A41A-9B5B4E62F36C", vulnerable: false, }, { criteria: "cpe:2.3:h:juniper:jsa7800:-:*:*:*:*:*:*:*", matchCriteriaId: "7AFBD1EF-96B1-475E-896A-4000463FEA0A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.", }, { lang: "es", value: "Apache Commons Text lleva a cabo una interpolación de variables, permitiendo que las propiedades sean evaluadas y expandidas dinámicamente. El formato estándar para la interpolación es \"${prefix:name}\", donde \"prefix\" es usado para localizar una instancia de org.apache.commons.text.lookup.StringLookup que lleva a cabo la interpolación. A partir de la versión 1.5 y hasta 1.9, el conjunto de instancias de Lookup por defecto incluía interpoladores que podían dar lugar a una ejecución de código arbitrario o al contacto con servidores remotos. Estos lookups son: - \"script\" - ejecuta expresiones usando el motor de ejecución de scripts de la JVM (javax.script) - \"dns\" - resuelve registros dns - \"url\" - carga valores de urls, incluso de servidores remotos Las aplicaciones usando los interpoladores por defecto en las versiones afectadas pueden ser vulnerables a una ejecución de código remota o al contacto involuntario con servidores remotos si son usados valores de configuración que no son confiables. Es recomendado a usuarios actualizar a Apache Commons Text versión 1.10.0, que deshabilita los interpoladores problemáticos por defecto", }, ], id: "CVE-2022-42889", lastModified: "2024-11-21T07:25:32.100", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-10-13T13:15:10.113", references: [ { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html", }, { source: "security@apache.org", url: "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2023/Feb/3", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/4", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/18/1", }, { source: "security@apache.org", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202301-05", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20221020-0004/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://seclists.org/fulldisclosure/2023/Feb/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/13/4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2022/10/18/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Vendor Advisory", ], url: "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.gentoo.org/glsa/202301-05", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20221020-0004/", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-26 16:27
Modified
2025-02-13 18:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", matchCriteriaId: "81569DC0-AF55-4626-9C18-E28CE3C59946", versionEndExcluding: "9.4.54", versionStartIncluding: "9.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", matchCriteriaId: "63104980-9A3B-4B74-8B99-4C89DCEE7190", versionEndExcluding: "10.0.20", versionStartIncluding: "10.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", matchCriteriaId: "AB6A0E19-3A46-4FD0-9049-E321B0376F10", versionEndExcluding: "11.0.20", versionStartIncluding: "11.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", matchCriteriaId: "31EC28A0-676C-42ED-92F0-DC9457CF18C7", versionEndExcluding: "12.0.6", versionStartIncluding: "12.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", matchCriteriaId: "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.", }, { lang: "es", value: "Jetty es un servidor web y motor de servlet basado en Java. Una conexión SSL HTTP/2 que esté establecida y TCP congestionada se filtrará cuando expire el tiempo de espera. Un atacante puede provocar que muchas conexiones terminen en este estado y que el servidor se quede sin descriptores de archivos, lo que eventualmente provocará que el servidor deje de aceptar nuevas conexiones de clientes válidos. La vulnerabilidad está parcheada en 9.4.54, 10.0.20, 11.0.20 y 12.0.6.", }, ], id: "CVE-2024-22201", lastModified: "2025-02-13T18:16:46.810", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-26T16:27:56.343", references: [ { source: "security-advisories@github.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/20/2", }, { source: "security-advisories@github.com", tags: [ "Issue Tracking", ], url: "https://github.com/jetty/jetty.project/issues/11256", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", }, { source: "security-advisories@github.com", tags: [ "Mailing List", ], url: "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240329-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2024/03/20/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "https://github.com/jetty/jetty.project/issues/11256", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.debian.org/debian-lts-announce/2024/04/msg00002.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240329-0001/", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-770", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-16 23:15
Modified
2024-12-05 22:02
Severity ?
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| oracle | graalvm | 20.3.14 | |
| oracle | graalvm | 21.3.10 | |
| oracle | graalvm_for_jdk | 17.0.11 | |
| oracle | graalvm_for_jdk | 21.0.3 | |
| oracle | graalvm_for_jdk | 22.0.1 | |
| oracle | jdk | 1.8.0 | |
| oracle | jdk | 1.8.0 | |
| oracle | jdk | 11.0.23 | |
| oracle | jdk | 17.0.11 | |
| oracle | jdk | 21.0.3 | |
| oracle | jdk | 22.0.1 | |
| oracle | jre | 1.8.0 | |
| oracle | jre | 1.8.0 | |
| oracle | jre | 11.0.23 | |
| oracle | jre | 17.0.11 | |
| oracle | jre | 21.0.3 | |
| oracle | jre | 22.0.1 | |
| netapp | active_iq_unified_manager | - | |
| netapp | bluexp | - | |
| netapp | data_infrastructure_insights_storage_workload_security_agent | - | |
| netapp | oncommand_insight | - | |
| netapp | oncommand_workflow_automation | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:graalvm:20.3.14:*:*:*:enterprise:*:*:*", matchCriteriaId: "AA5074F2-F35B-499E-A181-E272449B044D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:21.3.10:*:*:*:enterprise:*:*:*", matchCriteriaId: "39F28D35-48E1-450D-884A-D2578C99E8EC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "E104024C-15B5-4EFB-A26B-C69D303933CA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "CAEB1A60-678D-4BAF-9D95-43C9DCFC8D68", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "AD14A144-2CA9-498E-84B9-87733E33C602", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:1.8.0:update411:*:*:*:*:*:*", matchCriteriaId: "20DFA1BB-BA28-4CCA-835E-D09D469170FB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:1.8.0:update411:*:*:enterprise_performance_pack:*:*:*", matchCriteriaId: "54DCB9FD-A3FB-4901-A13F-9064921C77C2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:11.0.23:*:*:*:*:*:*:*", matchCriteriaId: "21F9B73E-696B-4F6B-A019-83A68179E422", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "C52598F8-1859-4007-ABEE-03A463482F4A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "62AE87F9-A4B3-4163-9A19-3E606CF72720", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "3AD2D0EA-694D-4629-A1F7-244C9B154248", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:1.8.0:update411:*:*:*:*:*:*", matchCriteriaId: "C5F6C67C-C4FF-44F1-BF6D-EE1E4D0D9E61", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:1.8.0:update411:*:*:enterprise_performance_pack:*:*:*", matchCriteriaId: "F70BAD0D-1601-4C61-B6B2-1A1DBB48B067", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:11.0.23:*:*:*:*:*:*:*", matchCriteriaId: "49A5200E-E144-4C02-BAAB-8EAF734EEC5F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "47E6B664-D2ED-425F-B27B-3E57278B1C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "06104137-B672-4AB8-AEB4-5AEE95D978FE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F92B7DB4-7E5C-4961-8BB3-D3DF4A833E79", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", matchCriteriaId: "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:data_infrastructure_insights_storage_workload_security_agent:-:*:*:*:*:*:*:*", matchCriteriaId: "EB7A9455-165A-42CE-B5D1-648AACB2ED05", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).", }, { lang: "es", value: "Vulnerabilidad en el producto Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition de Oracle Java SE (componente: Hotspot). Las versiones compatibles que se ven afectadas son Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM para JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 y 21.3.10. Una vulnerabilidad difícil de explotar permite que un atacante no autenticado con acceso a la red a través de múltiples protocolos comprometa Oracle Java SE, Oracle GraalVM para JDK y Oracle GraalVM Enterprise Edition. Los ataques exitosos a esta vulnerabilidad pueden dar como resultado una actualización, inserción o eliminación no autorizada del acceso a algunos de los datos accesibles de Oracle Java SE, Oracle GraalVM para JDK y Oracle GraalVM Enterprise Edition. Nota: Esta vulnerabilidad se puede aprovechar utilizando API en el componente especificado, por ejemplo, a través de un servicio web que proporciona datos a las API. Esta vulnerabilidad también se aplica a las implementaciones de Java, normalmente en clientes que ejecutan aplicaciones Java Web Start en un espacio aislado o subprogramas de Java en un espacio aislado, que cargan y ejecutan código que no es de confianza (por ejemplo, código que proviene de Internet) y dependen del entorno limitado de Java para su seguridad. CVSS 3.1 Puntaje base 3.7 (Impactos en la integridad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).", }, ], id: "CVE-2024-21131", lastModified: "2024-12-05T22:02:52.553", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 1.4, source: "secalert_us@oracle.com", type: "Primary", }, ], }, published: "2024-07-16T23:15:13.210", references: [ { source: "secalert_us@oracle.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], sourceIdentifier: "secalert_us@oracle.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-16 23:15
Modified
2024-12-05 22:05
Severity ?
Summary
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| netapp | active_iq_unified_manager | - | |
| netapp | bluexp | - | |
| netapp | data_infrastructure_insights_storage_workload_security_agent | - | |
| netapp | oncommand_insight | - | |
| netapp | oncommand_workflow_automation | - | |
| oracle | graalvm | 20.3.14 | |
| oracle | graalvm | 21.3.10 | |
| oracle | graalvm_for_jdk | 17.0.11 | |
| oracle | graalvm_for_jdk | 21.0.3 | |
| oracle | graalvm_for_jdk | 22.0.1 | |
| oracle | jdk | 1.8.0 | |
| oracle | jdk | 1.8.0 | |
| oracle | jdk | 11.0.23 | |
| oracle | jdk | 17.0.11 | |
| oracle | jdk | 21.0.3 | |
| oracle | jdk | 22.0.1 | |
| oracle | jre | 1.8.0 | |
| oracle | jre | 1.8.0 | |
| oracle | jre | 11.0.23 | |
| oracle | jre | 17.0.11 | |
| oracle | jre | 21.0.3 | |
| oracle | jre | 22.0.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:bluexp:-:*:*:*:*:*:*:*", matchCriteriaId: "FC1AE8BD-EE3F-494C-9F03-D4B2B7233106", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:data_infrastructure_insights_storage_workload_security_agent:-:*:*:*:*:*:*:*", matchCriteriaId: "EB7A9455-165A-42CE-B5D1-648AACB2ED05", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:graalvm:20.3.14:*:*:*:enterprise:*:*:*", matchCriteriaId: "AA5074F2-F35B-499E-A181-E272449B044D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:21.3.10:*:*:*:enterprise:*:*:*", matchCriteriaId: "39F28D35-48E1-450D-884A-D2578C99E8EC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "E104024C-15B5-4EFB-A26B-C69D303933CA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "CAEB1A60-678D-4BAF-9D95-43C9DCFC8D68", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm_for_jdk:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "AD14A144-2CA9-498E-84B9-87733E33C602", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:1.8.0:update411:*:*:*:*:*:*", matchCriteriaId: "20DFA1BB-BA28-4CCA-835E-D09D469170FB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:1.8.0:update411:*:*:enterprise_performance_pack:*:*:*", matchCriteriaId: "54DCB9FD-A3FB-4901-A13F-9064921C77C2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:11.0.23:*:*:*:*:*:*:*", matchCriteriaId: "21F9B73E-696B-4F6B-A019-83A68179E422", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "C52598F8-1859-4007-ABEE-03A463482F4A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "62AE87F9-A4B3-4163-9A19-3E606CF72720", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "3AD2D0EA-694D-4629-A1F7-244C9B154248", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:1.8.0:update411:*:*:*:*:*:*", matchCriteriaId: "C5F6C67C-C4FF-44F1-BF6D-EE1E4D0D9E61", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:1.8.0:update411:*:*:enterprise_performance_pack:*:*:*", matchCriteriaId: "F70BAD0D-1601-4C61-B6B2-1A1DBB48B067", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:11.0.23:*:*:*:*:*:*:*", matchCriteriaId: "49A5200E-E144-4C02-BAAB-8EAF734EEC5F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:17.0.11:*:*:*:*:*:*:*", matchCriteriaId: "47E6B664-D2ED-425F-B27B-3E57278B1C7E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:21.0.3:*:*:*:*:*:*:*", matchCriteriaId: "06104137-B672-4AB8-AEB4-5AEE95D978FE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jre:22.0.1:*:*:*:*:*:*:*", matchCriteriaId: "F92B7DB4-7E5C-4961-8BB3-D3DF4A833E79", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).", }, { lang: "es", value: "Vulnerabilidad en el producto Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition de Oracle Java SE (componente: Hotspot). Las versiones compatibles que se ven afectadas son Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM para JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 y 21.3.10. Una vulnerabilidad difícil de explotar permite que un atacante no autenticado con acceso a la red a través de múltiples protocolos comprometa Oracle Java SE, Oracle GraalVM para JDK y Oracle GraalVM Enterprise Edition. Los ataques exitosos de esta vulnerabilidad pueden resultar en una capacidad no autorizada para causar una denegación de servicio parcial (DOS parcial) de Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition. Nota: Esta vulnerabilidad se puede aprovechar utilizando API en el componente especificado, por ejemplo, a través de un servicio web que proporciona datos a las API. Esta vulnerabilidad también se aplica a las implementaciones de Java, normalmente en clientes que ejecutan aplicaciones Java Web Start en un espacio aislado o subprogramas de Java en un espacio aislado, que cargan y ejecutan código que no es de confianza (por ejemplo, código que proviene de Internet) y dependen del entorno limitado de Java para su seguridad. CVSS 3.1 Puntuación base 3.7 (impactos en la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).", }, ], id: "CVE-2024-21138", lastModified: "2024-12-05T22:05:55.937", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 1.4, source: "secalert_us@oracle.com", type: "Primary", }, ], }, published: "2024-07-16T23:15:14.620", references: [ { source: "secalert_us@oracle.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, { source: "secalert_us@oracle.com", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20240719-0008/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2024.html", }, ], sourceIdentifier: "secalert_us@oracle.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }