Vulnerabilites related to redhat - fuse
cve-2020-10688
Vulnerability from cvelistv5
Published
2021-05-27 18:45
Modified
2024-08-04 11:06
Severity ?
EPSS score ?
Summary
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1814974 | x_refsource_MISC | |
| https://github.com/quarkusio/quarkus/issues/7248 | x_refsource_MISC | |
| https://issues.redhat.com/browse/RESTEASY-2519 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20210706-0008/ | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:06:11.147Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1814974", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/quarkusio/quarkus/issues/7248", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://issues.redhat.com/browse/RESTEASY-2519", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210706-0008/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "RESTEasy", vendor: "n/a", versions: [ { status: "affected", version: "resteasy 3.11.1.Final, resteasy 4.5.3.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-07-06T07:06:22", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1814974", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/quarkusio/quarkus/issues/7248", }, { tags: [ "x_refsource_MISC", ], url: "https://issues.redhat.com/browse/RESTEASY-2519", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210706-0008/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-10688", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "RESTEasy", version: { version_data: [ { version_value: "resteasy 3.11.1.Final, resteasy 4.5.3.Final", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1814974", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1814974", }, { name: "https://github.com/quarkusio/quarkus/issues/7248", refsource: "MISC", url: "https://github.com/quarkusio/quarkus/issues/7248", }, { name: "https://issues.redhat.com/browse/RESTEASY-2519", refsource: "MISC", url: "https://issues.redhat.com/browse/RESTEASY-2519", }, { name: "https://security.netapp.com/advisory/ntap-20210706-0008/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210706-0008/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-10688", datePublished: "2021-05-27T18:45:41", dateReserved: "2020-03-20T00:00:00", dateUpdated: "2024-08-04T11:06:11.147Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-10719
Vulnerability from cvelistv5
Published
2020-05-26 14:57
Modified
2024-08-04 11:14
Severity ?
EPSS score ?
Summary
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719 | x_refsource_CONFIRM | |
| https://security.netapp.com/advisory/ntap-20220210-0014/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T11:14:14.887Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0014/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undertow", vendor: "Red Hat", versions: [ { status: "affected", version: "Versions before 2.1.1.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-444", description: "CWE-444", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-10T09:06:56", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0014/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2020-10719", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "undertow", version: { version_data: [ { version_value: "Versions before 2.1.1.Final", }, ], }, }, ], }, vendor_name: "Red Hat", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.", }, ], }, impact: { cvss: [ [ { vectorString: "6.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-444", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0014/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0014/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-10719", datePublished: "2020-05-26T14:57:51", dateReserved: "2020-03-20T00:00:00", dateUpdated: "2024-08-04T11:14:14.887Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-10219
Vulnerability from cvelistv5
Published
2019-11-08 14:46
Modified
2024-08-04 22:17
Severity ?
EPSS score ?
Summary
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hibernate | hibernate-validator |
Version: n/a |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T22:17:18.975Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[accumulo-notifications] 20200108 [GitHub] [accumulo] milleruntime opened a new pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E", }, { name: "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime closed pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E", }, { name: "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime commented on issue #1469: Update hibernate-validator. Fixes CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E", }, { name: "RHSA-2020:0164", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0164", }, { name: "RHSA-2020:0159", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0159", }, { name: "RHSA-2020:0160", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0160", }, { name: "RHSA-2020:0161", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0161", }, { name: "RHSA-2020:0445", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0024/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "hibernate-validator", vendor: "Hibernate", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-10T09:07:39", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "[accumulo-notifications] 20200108 [GitHub] [accumulo] milleruntime opened a new pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E", }, { name: "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime closed pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E", }, { name: "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime commented on issue #1469: Update hibernate-validator. Fixes CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E", }, { name: "RHSA-2020:0164", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0164", }, { name: "RHSA-2020:0159", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0159", }, { name: "RHSA-2020:0160", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0160", }, { name: "RHSA-2020:0161", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0161", }, { name: "RHSA-2020:0445", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0024/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2019-10219", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "hibernate-validator", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "Hibernate", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.", }, ], }, impact: { cvss: [ [ { vectorString: "6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79", }, ], }, ], }, references: { reference_data: [ { name: "[accumulo-notifications] 20200108 [GitHub] [accumulo] milleruntime opened a new pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf@%3Cnotifications.accumulo.apache.org%3E", }, { name: "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime closed pull request #1469: Update hibernate-validator. Fixes CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6@%3Cnotifications.accumulo.apache.org%3E", }, { name: "[accumulo-notifications] 20200109 [GitHub] [accumulo] milleruntime commented on issue #1469: Update hibernate-validator. Fixes CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d@%3Cnotifications.accumulo.apache.org%3E", }, { name: "RHSA-2020:0164", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0164", }, { name: "RHSA-2020:0159", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0159", }, { name: "RHSA-2020:0160", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0160", }, { name: "RHSA-2020:0161", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0161", }, { name: "RHSA-2020:0445", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a@%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-791) Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c@%3Cpluto-dev.portals.apache.org%3E", }, { name: "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-791 Upgrade to hibernate-validator-6.0.20.Final due to CVE-2020-10693 and CVE-2019-10219", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4@%3Cpluto-scm.portals.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0024/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0024/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2019-10219", datePublished: "2019-11-08T14:46:03", dateReserved: "2019-03-27T00:00:00", dateUpdated: "2024-08-04T22:17:18.975Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-4178
Vulnerability from cvelistv5
Published
2022-08-24 15:02
Modified
2024-08-03 17:16
Severity ?
EPSS score ?
Summary
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2034388 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/CVE-2021-4178 | x_refsource_MISC | |
| https://github.com/advisories/GHSA-98g7-rxmf-rrxm | x_refsource_MISC | |
| https://github.com/fabric8io/kubernetes-client/issues/3653 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | kubernetes-client |
Version: Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above. |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:16:04.264Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2034388", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2021-4178", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/advisories/GHSA-98g7-rxmf-rrxm", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/fabric8io/kubernetes-client/issues/3653", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "kubernetes-client", vendor: "n/a", versions: [ { status: "affected", version: "Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above.", }, ], }, ], descriptions: [ { lang: "en", value: "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 - Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-08-24T15:02:11", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2034388", }, { tags: [ "x_refsource_MISC", ], url: "https://access.redhat.com/security/cve/CVE-2021-4178", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/advisories/GHSA-98g7-rxmf-rrxm", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/fabric8io/kubernetes-client/issues/3653", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-4178", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "kubernetes-client", version: { version_data: [ { version_value: "Affects 5.x versions, Fixed in kubernetes-client v5.0.3 and above.", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-502 - Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=2034388", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=2034388", }, { name: "https://access.redhat.com/security/cve/CVE-2021-4178", refsource: "MISC", url: "https://access.redhat.com/security/cve/CVE-2021-4178", }, { name: "https://github.com/advisories/GHSA-98g7-rxmf-rrxm", refsource: "MISC", url: "https://github.com/advisories/GHSA-98g7-rxmf-rrxm", }, { name: "https://github.com/fabric8io/kubernetes-client/issues/3653", refsource: "MISC", url: "https://github.com/fabric8io/kubernetes-client/issues/3653", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-4178", datePublished: "2022-08-24T15:02:11", dateReserved: "2021-12-27T00:00:00", dateUpdated: "2024-08-03T17:16:04.264Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-10174
Vulnerability from cvelistv5
Published
2019-11-25 10:26
Modified
2024-08-04 22:10
Severity ?
EPSS score ?
Summary
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2020:0481 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2020:0727 | vendor-advisory, x_refsource_REDHAT | |
| https://security.netapp.com/advisory/ntap-20220210-0018/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| [UNKNOWN] | infinispan |
Version: 10.0.0.Final Version: 9.4.17.Final |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T22:10:10.097Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174", }, { name: "RHSA-2020:0481", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0481", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0018/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "infinispan", vendor: "[UNKNOWN]", versions: [ { status: "affected", version: "10.0.0.Final", }, { status: "affected", version: "9.4.17.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-470", description: "CWE-470", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-10T09:06:27", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174", }, { name: "RHSA-2020:0481", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0481", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0018/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2019-10174", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "infinispan", version: { version_data: [ { version_value: "10.0.0.Final", }, { version_value: "9.4.17.Final", }, ], }, }, ], }, vendor_name: "[UNKNOWN]", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", }, ], }, impact: { cvss: [ [ { vectorString: "7.5/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-470", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174", }, { name: "RHSA-2020:0481", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0481", }, { name: "RHSA-2020:0727", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0018/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0018/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2019-10174", datePublished: "2019-11-25T10:26:16", dateReserved: "2019-03-27T00:00:00", dateUpdated: "2024-08-04T22:10:10.097Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3597
Vulnerability from cvelistv5
Published
2022-05-24 18:19
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1970930 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20220804-0003/ | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:01:07.706Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1970930", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220804-0003/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undertow", vendor: "n/a", versions: [ { status: "affected", version: "undertow 2.0.35.SP1, undertow 2.2.6.SP1, undertow 2.2.7.SP1, undertow 2.0.36.SP1, undertow 2.2.9.Final, undertow 2.0.39.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-362", description: "CWE-362", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-08-04T17:06:48", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1970930", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220804-0003/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2021-3597", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "undertow", version: { version_data: [ { version_value: "undertow 2.0.35.SP1, undertow 2.2.6.SP1, undertow 2.2.7.SP1, undertow 2.0.36.SP1, undertow 2.2.9.Final, undertow 2.0.39.Final", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-362", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1970930", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1970930", }, { name: "https://security.netapp.com/advisory/ntap-20220804-0003/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220804-0003/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-3597", datePublished: "2022-05-24T18:19:11", dateReserved: "2021-06-11T00:00:00", dateUpdated: "2024-08-03T17:01:07.706Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-3690
Vulnerability from cvelistv5
Published
2022-08-23 15:50
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://issues.redhat.com/browse/UNDERTOW-1935 | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1991299 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/CVE-2021-3690 | x_refsource_MISC | |
| https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T17:01:08.307Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://issues.redhat.com/browse/UNDERTOW-1935", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991299", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2021-3690", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "undertow", vendor: "n/a", versions: [ { status: "affected", version: "Fixed in 2.2.10.Final, 2.0.40.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 - Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-08-23T15:50:35", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://issues.redhat.com/browse/UNDERTOW-1935", }, { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991299", }, { tags: [ "x_refsource_MISC", ], url: "https://access.redhat.com/security/cve/CVE-2021-3690", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2021-3690", datePublished: "2022-08-23T15:50:35", dateReserved: "2021-08-09T00:00:00", dateUpdated: "2024-08-03T17:01:08.307Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-1108
Vulnerability from cvelistv5
Published
2023-09-14 14:48
Modified
2024-08-02 05:32
Severity ?
EPSS score ?
Summary
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-1108", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-08T18:37:50.625681Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-08T18:38:02.186Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T05:32:46.370Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:1184", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1184", }, { name: "RHSA-2023:1185", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1185", }, { name: "RHSA-2023:1512", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1512", }, { name: "RHSA-2023:1513", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1513", }, { name: "RHSA-2023:1514", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1514", }, { name: "RHSA-2023:1516", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1516", }, { name: "RHSA-2023:2135", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:2135", }, { name: "RHSA-2023:3883", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:3883", }, { name: "RHSA-2023:3884", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:3884", }, { name: "RHSA-2023:3885", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:3885", }, { name: "RHSA-2023:3888", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:3888", }, { name: "RHSA-2023:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:3892", }, { name: "RHSA-2023:3954", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { name: "RHSA-2023:4612", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:4612", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-1108", }, { name: "RHBZ#2174246", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { tags: [ "x_transferred", ], url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20231020-0002/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://github.com/undertow-io/undertow", packageName: "io.undertow:undertow-core", versions: [ { status: "unaffected", version: "2.3.5", }, { status: "unaffected", version: "2.2.24", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", ], defaultStatus: "unaffected", product: "EAP 7.4.10 release", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_fuse:7", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat Fuse 7.12", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform 7.1.0", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.22-1.SP3_redhat_00002.1.el8eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-wildfly", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:7.4.9-6.GA_redhat_00004.1.el8eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.23-1.SP2_redhat_00001.1.el8eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-undertow-jastow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.0.14-1.Final_redhat_00001.1.el8eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.22-1.SP3_redhat_00002.1.el9eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-wildfly", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:7.4.9-6.GA_redhat_00004.1.el9eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.23-1.SP2_redhat_00001.1.el9eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", ], defaultStatus: "affected", packageName: "eap7-undertow-jastow", product: "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.0.14-1.Final_redhat_00001.1.el9eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.22-1.SP3_redhat_00002.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", ], defaultStatus: "affected", packageName: "eap7-wildfly", product: "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:7.4.9-6.GA_redhat_00004.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", ], defaultStatus: "affected", packageName: "eap7-undertow", product: "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.2.23-1.SP2_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", ], defaultStatus: "affected", packageName: "eap7-undertow-jastow", product: "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:2.0.14-1.Final_redhat_00001.1.el7eap", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6.4", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.8-1.redhat_00001.1.el7sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.8-1.redhat_00001.1.el8sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.8-1.redhat_00001.1.el9sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_application_runtimes:1.0", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat support for Spring Boot 2.7.13", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rh-sso-7/sso76-openshift-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.6-24", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", ], defaultStatus: "unaffected", packageName: "undertow", product: "RHPAM 7.13.1 async", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:quarkus:2", ], defaultStatus: "unaffected", packageName: "io.quarkus/quarkus-undertow", product: "Red Hat build of Quarkus", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:jboss_data_grid:8", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat Data Grid 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:integration:1", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Integration Camel K", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:camel_quarkus:2", ], defaultStatus: "unaffected", packageName: "undertow", product: "Red Hat Integration Camel Quarkus", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_registry:2", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat Integration Service Registry", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_data_grid:7", ], defaultStatus: "unknown", packageName: "undertow", product: "Red Hat JBoss Data Grid 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jbosseapxp", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat JBoss Enterprise Application Platform Expansion Pack", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_fuse:6", ], defaultStatus: "unknown", packageName: "undertow", product: "Red Hat JBoss Fuse 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:13", ], defaultStatus: "affected", packageName: "undertow", product: "Red Hat OpenStack Platform 13 (Queens)", vendor: "Red Hat", }, ], datePublic: "2023-03-07T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-835", description: "Loop with Unreachable Exit Condition ('Infinite Loop')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-03T15:32:32.904Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:1184", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1184", }, { name: "RHSA-2023:1185", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1185", }, { name: "RHSA-2023:1512", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1512", }, { name: "RHSA-2023:1513", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1513", }, { name: "RHSA-2023:1514", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1514", }, { name: "RHSA-2023:1516", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1516", }, { name: "RHSA-2023:2135", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:2135", }, { name: "RHSA-2023:3883", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:3883", }, { name: "RHSA-2023:3884", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:3884", }, { name: "RHSA-2023:3885", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:3885", }, { name: "RHSA-2023:3888", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:3888", }, { name: "RHSA-2023:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:3892", }, { name: "RHSA-2023:3954", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { name: "RHSA-2023:4612", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:4612", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-1108", }, { name: "RHBZ#2174246", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", }, { url: "https://security.netapp.com/advisory/ntap-20231020-0002/", }, ], timeline: [ { lang: "en", time: "2023-02-07T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-03-07T00:00:00+00:00", value: "Made public.", }, ], title: "Undertow: infinite loop in sslconduit during close", x_redhatCweChain: "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-1108", datePublished: "2023-09-14T14:48:58.869Z", dateReserved: "2023-03-01T00:27:23.587Z", dateUpdated: "2024-08-02T05:32:46.370Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-1199
Vulnerability from cvelistv5
Published
2018-03-16 20:00
Modified
2024-09-16 16:13
Severity ?
EPSS score ?
Summary
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:2405 | vendor-advisory, x_refsource_REDHAT | |
| https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://www.oracle.com/security-alerts/cpujul2020.html | x_refsource_MISC | |
| https://pivotal.io/security/cve-2018-1199 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Dell EMC | Spring by Pivotal |
Version: spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3, 5.0.0 Version: Spring Framework 5.0.0 - 5.0.2, 4.3.0 - 4.3.13 Version: Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:51:48.970Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2018:2405", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2405", }, { name: "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://pivotal.io/security/cve-2018-1199", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Spring by Pivotal", vendor: "Dell EMC", versions: [ { status: "affected", version: "spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3, 5.0.0", }, { status: "affected", version: "Spring Framework 5.0.0 - 5.0.2, 4.3.0 - 4.3.13", }, { status: "affected", version: "Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted", }, ], }, ], datePublic: "2018-01-29T00:00:00", descriptions: [ { lang: "en", value: "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.", }, ], problemTypes: [ { descriptions: [ { description: "Security bypass with static", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-07-15T02:22:57", orgId: "c550e75a-17ff-4988-97f0-544cde3820fe", shortName: "dell", }, references: [ { name: "RHSA-2018:2405", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2405", }, { name: "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://pivotal.io/security/cve-2018-1199", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secure@dell.com", DATE_PUBLIC: "2018-01-29T00:00:00", ID: "CVE-2018-1199", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Spring by Pivotal", version: { version_data: [ { version_value: "spring Security 4.1.0 - 4.1.4, 4.2.0 - 4.2.3, 5.0.0", }, { version_value: "Spring Framework 5.0.0 - 5.0.2, 4.3.0 - 4.3.13", }, { version_value: "Older unmaintained versions of Spring Security & Spring Framework were not analyzed and may be impacted", }, ], }, }, ], }, vendor_name: "Dell EMC", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Security bypass with static", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2018:2405", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2405", }, { name: "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", refsource: "MLIST", url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://pivotal.io/security/cve-2018-1199", refsource: "CONFIRM", url: "https://pivotal.io/security/cve-2018-1199", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "c550e75a-17ff-4988-97f0-544cde3820fe", assignerShortName: "dell", cveId: "CVE-2018-1199", datePublished: "2018-03-16T20:00:00Z", dateReserved: "2017-12-06T00:00:00", dateUpdated: "2024-09-16T16:13:09.643Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-12617
Vulnerability from cvelistv5
Published
2017-10-03 15:00
Modified
2025-02-04 18:46
Severity ?
EPSS score ?
Summary
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Tomcat |
Version: 9.0.0.M1 to 9.0.0 Version: 8.5.0 to 8.5.22 Version: 8.0.0.RC1 to 8.0.46 Version: 7.0.0 to 7.0.81 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T18:43:56.415Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2017:3113", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3113", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "RHSA-2017:3080", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3080", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us", }, { name: "RHSA-2018:0269", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0269", }, { name: "42966", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/42966/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us", }, { name: "RHSA-2018:0270", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0270", }, { name: "RHSA-2018:0271", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0271", }, { name: "[debian-lts-announce] 20171107 [SECURITY] [DLA 1166-1] tomcat7 security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html", }, { name: "RHSA-2018:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { name: "RHSA-2018:0465", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0465", }, { name: "USN-3665-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3665-1/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "RHSA-2018:0268", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0268", }, { name: "RHSA-2017:3114", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3114", }, { name: "43008", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/43008/", }, { name: "1039552", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1039552", }, { name: "100954", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/100954", }, { name: "RHSA-2018:0275", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0275", }, { name: "RHSA-2018:0466", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0466", }, { name: "[announce] 20171003 [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20171018-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { name: "RHSA-2017:3081", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3081", }, { name: "[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K53173544", }, { name: "[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2017-12617", options: [ { Exploitation: "active", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-04T18:46:14.471455Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2022-03-25", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2017-12617", }, type: "kev", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-434", description: "CWE-434 Unrestricted Upload of File with Dangerous Type", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-04T18:46:52.662Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "Apache Tomcat", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "9.0.0.M1 to 9.0.0", }, { status: "affected", version: "8.5.0 to 8.5.22", }, { status: "affected", version: "8.0.0.RC1 to 8.0.46", }, { status: "affected", version: "7.0.0 to 7.0.81", }, ], }, ], datePublic: "2017-10-03T00:00:00.000Z", descriptions: [ { lang: "en", value: "When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.", }, ], problemTypes: [ { descriptions: [ { description: "Remote Code Execution", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-02-13T16:09:13.000Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "RHSA-2017:3113", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3113", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "RHSA-2017:3080", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3080", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us", }, { name: "RHSA-2018:0269", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0269", }, { name: "42966", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/42966/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us", }, { name: "RHSA-2018:0270", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0270", }, { name: "RHSA-2018:0271", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0271", }, { name: "[debian-lts-announce] 20171107 [SECURITY] [DLA 1166-1] tomcat7 security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html", }, { name: "RHSA-2018:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { name: "RHSA-2018:0465", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0465", }, { name: "USN-3665-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3665-1/", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "RHSA-2018:0268", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0268", }, { name: "RHSA-2017:3114", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3114", }, { name: "43008", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/43008/", }, { name: "1039552", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1039552", }, { name: "100954", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/100954", }, { name: "RHSA-2018:0275", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0275", }, { name: "RHSA-2018:0466", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0466", }, { name: "[announce] 20171003 [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20171018-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { name: "RHSA-2017:3081", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3081", }, { name: "[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K53173544", }, { name: "[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", DATE_PUBLIC: "2017-10-03T00:00:00", ID: "CVE-2017-12617", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Tomcat", version: { version_data: [ { version_value: "9.0.0.M1 to 9.0.0", }, { version_value: "8.5.0 to 8.5.22", }, { version_value: "8.0.0.RC1 to 8.0.46", }, { version_value: "7.0.0 to 7.0.81", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Remote Code Execution", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2017:3113", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3113", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "RHSA-2017:3080", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3080", }, { name: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us", refsource: "CONFIRM", url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us", }, { name: "RHSA-2018:0269", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0269", }, { name: "42966", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/42966/", }, { name: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us", refsource: "CONFIRM", url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us", }, { name: "RHSA-2018:0270", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0270", }, { name: "RHSA-2018:0271", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0271", }, { name: "[debian-lts-announce] 20171107 [SECURITY] [DLA 1166-1] tomcat7 security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html", }, { name: "RHSA-2018:2939", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { name: "RHSA-2018:0465", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0465", }, { name: "USN-3665-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3665-1/", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "RHSA-2018:0268", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0268", }, { name: "RHSA-2017:3114", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3114", }, { name: "43008", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/43008/", }, { name: "1039552", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1039552", }, { name: "100954", refsource: "BID", url: "http://www.securityfocus.com/bid/100954", }, { name: "RHSA-2018:0275", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0275", }, { name: "RHSA-2018:0466", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0466", }, { name: "[announce] 20171003 [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload", refsource: "MLIST", url: "https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20171018-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20171018-0002/", }, { name: "https://security.netapp.com/advisory/ntap-20180117-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { name: "RHSA-2017:3081", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3081", }, { name: "[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E", }, { name: "https://support.f5.com/csp/article/K53173544", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K53173544", }, { name: "[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E", }, { name: "[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-12617", datePublished: "2017-10-03T15:00:00.000Z", dateReserved: "2017-08-07T00:00:00.000Z", dateUpdated: "2025-02-04T18:46:52.662Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-1258
Vulnerability from cvelistv5
Published
2018-05-11 20:00
Modified
2024-09-17 02:56
Severity ?
EPSS score ?
Summary
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Pivotal | Spring Framework |
Version: 5.0.5 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:51:49.125Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "104222", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/104222", }, { name: "1041888", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1041888", }, { name: "1041896", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1041896", }, { name: "RHSA-2019:2413", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2413", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20181018-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://pivotal.io/security/cve-2018-1258", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Spring Framework", vendor: "Pivotal", versions: [ { status: "affected", version: "5.0.5", }, ], }, ], datePublic: "2018-05-09T00:00:00", descriptions: [ { lang: "en", value: "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.", }, ], problemTypes: [ { descriptions: [ { description: "Authorization Bypass", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-20T10:38:01", orgId: "c550e75a-17ff-4988-97f0-544cde3820fe", shortName: "dell", }, references: [ { name: "104222", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/104222", }, { name: "1041888", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1041888", }, { name: "1041896", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1041896", }, { name: "RHSA-2019:2413", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2413", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20181018-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://pivotal.io/security/cve-2018-1258", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secure@dell.com", DATE_PUBLIC: "2018-05-09T00:00:00", ID: "CVE-2018-1258", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Spring Framework", version: { version_data: [ { affected: "=", version_affected: "=", version_value: "5.0.5", }, ], }, }, ], }, vendor_name: "Pivotal", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Authorization Bypass", }, ], }, ], }, references: { reference_data: [ { name: "104222", refsource: "BID", url: "http://www.securityfocus.com/bid/104222", }, { name: "1041888", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1041888", }, { name: "1041896", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1041896", }, { name: "RHSA-2019:2413", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2413", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { name: "https://security.netapp.com/advisory/ntap-20181018-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20181018-0002/", }, { name: "https://pivotal.io/security/cve-2018-1258", refsource: "CONFIRM", url: "https://pivotal.io/security/cve-2018-1258", }, { name: "https://www.oracle.com/security-alerts/cpujan2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "c550e75a-17ff-4988-97f0-544cde3820fe", assignerShortName: "dell", cveId: "CVE-2018-1258", datePublished: "2018-05-11T20:00:00Z", dateReserved: "2017-12-06T00:00:00", dateUpdated: "2024-09-17T02:56:37.459Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-14900
Vulnerability from cvelistv5
Published
2020-07-06 18:35
Modified
2024-08-05 00:26
Severity ?
EPSS score ?
Summary
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1666499 | x_refsource_MISC | |
| https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E | mailing-list, x_refsource_MLIST | |
| https://security.netapp.com/advisory/ntap-20220210-0020/ | x_refsource_CONFIRM |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T00:26:39.118Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Hibernate", vendor: "n/a", versions: [ { status: "affected", version: "Versions before Hibernate ORM 5.3.18", }, { status: "affected", version: "Versions before Hibernate ORM 5.4.18", }, { status: "affected", version: "Versions before Hibernate ORM 5.5.0.Beta1", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", }, ], problemTypes: [ { descriptions: [ { description: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-10T09:07:46", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2019-14900", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Hibernate", version: { version_data: [ { version_value: "Versions before Hibernate ORM 5.3.18", }, { version_value: "Versions before Hibernate ORM 5.4.18", }, { version_value: "Versions before Hibernate ORM 5.5.0.Beta1", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", }, ], }, ], }, references: { reference_data: [ { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { name: "[turbine-dev] 20211015 Fulcrum Security Hibernate Module", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44@%3Cdev.turbine.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20220210-0020/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2019-14900", datePublished: "2020-07-06T18:35:01", dateReserved: "2019-08-10T00:00:00", dateUpdated: "2024-08-05T00:26:39.118Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-1270
Vulnerability from cvelistv5
Published
2018-04-06 13:00
Modified
2024-09-16 19:05
Severity ?
EPSS score ?
Summary
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Spring by Pivotal | Spring Framework |
Version: Versions prior to 5.0.5 and 4.3.15 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T03:51:48.998Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2018:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { name: "44796", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/44796/", }, { name: "103696", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/103696", }, { name: "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://pivotal.io/security/cve-2018-1270", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { name: "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Spring Framework", vendor: "Spring by Pivotal", versions: [ { status: "affected", version: "Versions prior to 5.0.5 and 4.3.15", }, ], }, ], datePublic: "2018-04-05T00:00:00", descriptions: [ { lang: "en", value: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94 - Code Injection", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-20T10:38:02", orgId: "c550e75a-17ff-4988-97f0-544cde3820fe", shortName: "dell", }, references: [ { name: "RHSA-2018:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { name: "44796", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/44796/", }, { name: "103696", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/103696", }, { name: "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://pivotal.io/security/cve-2018-1270", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { name: "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secure@dell.com", DATE_PUBLIC: "2018-04-05T00:00:00", ID: "CVE-2018-1270", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Spring Framework", version: { version_data: [ { version_value: "Versions prior to 5.0.5 and 4.3.15", }, ], }, }, ], }, vendor_name: "Spring by Pivotal", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-94 - Code Injection", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2018:2939", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { name: "44796", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/44796/", }, { name: "103696", refsource: "BID", url: "http://www.securityfocus.com/bid/103696", }, { name: "[activemq-issues] 20190703 [jira] [Created] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190703 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190718 [jira] [Updated] (AMQ-7236) SEV-1 Security vulnerability in spring-expression-4.3.11.RELEASE.jar (spring framework) and xstream-1.4.10.jar", refsource: "MLIST", url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20190826 [jira] [Created] (AMQ-7288) Security Vulnerabilities in ActiveMQ dependent libraries.", refsource: "MLIST", url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "https://pivotal.io/security/cve-2018-1270", refsource: "CONFIRM", url: "https://pivotal.io/security/cve-2018-1270", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", }, { name: "[debian-lts-announce] 20210423 [SECURITY] [DLA 2635-1] libspring-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "c550e75a-17ff-4988-97f0-544cde3820fe", assignerShortName: "dell", cveId: "CVE-2018-1270", datePublished: "2018-04-06T13:00:00Z", dateReserved: "2017-12-06T00:00:00", dateUpdated: "2024-09-16T19:05:05.139Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-14860
Vulnerability from cvelistv5
Published
2019-11-08 14:45
Modified
2024-08-05 00:26
Severity ?
EPSS score ?
Summary
It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14860 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2019:3892 | vendor-advisory, x_refsource_REDHAT |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T00:26:39.101Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14860", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "syndesis", vendor: "[UNKNOWN]", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-942", description: "CWE-942", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2019-11-14T23:07:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14860", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2019-14860", datePublished: "2019-11-08T14:45:52", dateReserved: "2019-08-10T00:00:00", dateUpdated: "2024-08-05T00:26:39.101Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-25689
Vulnerability from cvelistv5
Published
2020-10-30 00:00
Modified
2024-08-04 15:40
Severity ?
EPSS score ?
Summary
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Red Hat | wildfly-core |
Version: up to 21.0.0.Final |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T15:40:36.775Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20201123-0006/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "wildfly-core", vendor: "Red Hat", versions: [ { status: "affected", version: "up to 21.0.0.Final", }, ], }, ], descriptions: [ { lang: "en", value: "A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-401", description: "CWE-401", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-10-07T00:00:00", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689", }, { url: "https://security.netapp.com/advisory/ntap-20201123-0006/", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2020-25689", datePublished: "2020-10-30T00:00:00", dateReserved: "2020-09-16T00:00:00", dateUpdated: "2024-08-04T15:40:36.775Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2015-1427
Vulnerability from cvelistv5
Published
2015-02-17 15:00
Modified
2025-02-10 19:05
Severity ?
EPSS score ?
Summary
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/534689/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html | x_refsource_MISC | |
| https://access.redhat.com/errata/RHSA-2017:0868 | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/72585 | vdb-entry, x_refsource_BID | |
| http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/ | x_refsource_CONFIRM | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/100850 | vdb-entry, x_refsource_XF | |
| http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html | x_refsource_MISC | |
| https://www.elastic.co/community/security/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T04:40:18.586Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "20150211 Elasticsearch vulnerability CVE-2015-1427", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/534689/100/0/threaded", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html", }, { name: "RHSA-2017:0868", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:0868", }, { name: "72585", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/72585", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/", }, { name: "elasticsearch-cve20151427-command-exec(100850)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/100850", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.elastic.co/community/security/", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2015-1427", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-10T19:05:50.626176Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2022-03-25", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2015-1427", }, type: "kev", }, }, ], problemTypes: [ { descriptions: [ { description: "CWE-noinfo Not enough information", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-10T19:05:54.785Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-02-11T00:00:00.000Z", descriptions: [ { lang: "en", value: "The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-10-09T18:57:01.000Z", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "20150211 Elasticsearch vulnerability CVE-2015-1427", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/534689/100/0/threaded", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html", }, { name: "RHSA-2017:0868", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:0868", }, { name: "72585", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/72585", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/", }, { name: "elasticsearch-cve20151427-command-exec(100850)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/100850", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.elastic.co/community/security/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2015-1427", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "20150211 Elasticsearch vulnerability CVE-2015-1427", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/534689/100/0/threaded", }, { name: "http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html", }, { name: "RHSA-2017:0868", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:0868", }, { name: "72585", refsource: "BID", url: "http://www.securityfocus.com/bid/72585", }, { name: "http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/", refsource: "CONFIRM", url: "http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/", }, { name: "elasticsearch-cve20151427-command-exec(100850)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/100850", }, { name: "http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html", }, { name: "https://www.elastic.co/community/security/", refsource: "CONFIRM", url: "https://www.elastic.co/community/security/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2015-1427", datePublished: "2015-02-17T15:00:00.000Z", dateReserved: "2015-01-31T00:00:00.000Z", dateUpdated: "2025-02-10T19:05:54.785Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-0201
Vulnerability from cvelistv5
Published
2019-05-23 13:42
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache ZooKeeper |
Version: 1.0.0 to 3.4.13 Version: 3.5.0-alpha to 3.5.4-beta |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T17:44:14.871Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "108427", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/108427", }, { name: "[debian-lts-announce] 20190524 [SECURITY] [DLA 1801-1] zookeeper security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", }, { name: "[bookkeeper-issues] 20190531 [GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[accumulo-commits] 20190605 [accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E", }, { name: "DSA-4461", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4461", }, { name: "20190612 [SECURITY] [DSA 4461-1] zookeeper security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Jun/13", }, { name: "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E", }, { name: "RHSA-2019:3140", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3140", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://zookeeper.apache.org/security.html#CVE-2019-0201", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190619-0001/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-common-issues] 20210816 [GitHub] [hadoop] iwasakims opened a new pull request #3308: HADOOP-17850. Upgrade ZooKeeper to 3.4.14 in branch-3.2.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache ZooKeeper", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "1.0.0 to 3.4.13", }, { status: "affected", version: "3.5.0-alpha to 3.5.4-beta", }, ], }, ], descriptions: [ { lang: "en", value: "An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-16T12:06:09", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "108427", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/108427", }, { name: "[debian-lts-announce] 20190524 [SECURITY] [DLA 1801-1] zookeeper security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", }, { name: "[bookkeeper-issues] 20190531 [GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[accumulo-commits] 20190605 [accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E", }, { name: "DSA-4461", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4461", }, { name: "20190612 [SECURITY] [DSA 4461-1] zookeeper security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Jun/13", }, { name: "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E", }, { name: "RHSA-2019:3140", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3140", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://zookeeper.apache.org/security.html#CVE-2019-0201", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190619-0001/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-common-issues] 20210816 [GitHub] [hadoop] iwasakims opened a new pull request #3308: HADOOP-17850. Upgrade ZooKeeper to 3.4.14 in branch-3.2.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2019-0201", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache ZooKeeper", version: { version_data: [ { version_value: "1.0.0 to 3.4.13", }, { version_value: "3.5.0-alpha to 3.5.4-beta", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "108427", refsource: "BID", url: "http://www.securityfocus.com/bid/108427", }, { name: "[debian-lts-announce] 20190524 [SECURITY] [DLA 1801-1] zookeeper security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", }, { name: "[bookkeeper-issues] 20190531 [GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[accumulo-commits] 20190605 [accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E", }, { name: "DSA-4461", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4461", }, { name: "20190612 [SECURITY] [DSA 4461-1] zookeeper security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Jun/13", }, { name: "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", refsource: "MLIST", url: "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E", }, { name: "RHSA-2019:3140", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3140", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3892", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", refsource: "MISC", url: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", }, { name: "https://zookeeper.apache.org/security.html#CVE-2019-0201", refsource: "CONFIRM", url: "https://zookeeper.apache.org/security.html#CVE-2019-0201", }, { name: "https://security.netapp.com/advisory/ntap-20190619-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190619-0001/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-common-issues] 20210816 [GitHub] [hadoop] iwasakims opened a new pull request #3308: HADOOP-17850. Upgrade ZooKeeper to 3.4.14 in branch-3.2.", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2019-0201", datePublished: "2019-05-23T13:42:47", dateReserved: "2018-11-14T00:00:00", dateUpdated: "2024-08-04T17:44:14.871Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-5645
Vulnerability from cvelistv5
Published
2017-04-17 21:00
Modified
2024-08-05 15:11
Severity ?
EPSS score ?
Summary
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Log4j |
Version: All versions between 2.0-alpha1 and 2.8.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T15:11:47.391Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2017:2888", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:2809", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "97702", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/97702", }, { name: "1041294", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1041294", }, { name: "RHSA-2017:2810", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "RHSA-2017:1801", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { name: "RHSA-2017:2889", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "RHSA-2017:2635", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2635", }, { name: "RHSA-2017:2638", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2638", }, { name: "RHSA-2017:1417", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1417", }, { name: "RHSA-2017:2423", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2423", }, { name: "RHSA-2017:2808", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "1040200", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040200", }, { name: "RHSA-2017:2636", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2636", }, { name: "RHSA-2017:3399", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3399", }, { name: "RHSA-2017:2637", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2637", }, { name: "RHSA-2017:3244", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3244", }, { name: "RHSA-2017:3400", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3400", }, { name: "RHSA-2017:2633", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2633", }, { name: "RHSA-2017:2811", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { name: "RHSA-2017:1802", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { name: "RHSA-2019:1545", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "[logging-dev] 20191215 Re: Is there any chance that there will be a security fix for log4j-v1.2.17?", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc%40%3Cdev.logging.apache.org%3E", }, { name: "[logging-dev] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", }, { name: "[oss-security] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { name: "[announce] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", }, { name: "[logging-dev] 20191219 Re: [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9%40%3Cdev.logging.apache.org%3E", }, { name: "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3Cissues.activemq.apache.org%3E", }, { name: "[logging-commits] 20200425 svn commit: r1059809 - /websites/production/logging/content/log4j/2.13.2/security.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d%40%3Ccommits.logging.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, { name: "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3Cissues.activemq.apache.org%3E", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5594: [FE][Bug]Update log4j-web to fix a security issue", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422%40%3Ccommits.doris.apache.org%3E", }, { name: "[beam-issues] 20210528 [jira] [Created] (BEAM-12422) Vendored gRPC 1.36.0 is using a log4j version with security issues", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287%40%3Cissues.beam.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik opened a new pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] edited a comment on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] suztomo commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44%40%3Cgithub.beam.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Log4j", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "All versions between 2.0-alpha1 and 2.8.1", }, ], }, ], datePublic: "2017-04-02T00:00:00", descriptions: [ { lang: "en", value: "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.", }, ], problemTypes: [ { descriptions: [ { description: "Remote Code Execution.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:40:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "RHSA-2017:2888", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:2809", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "97702", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/97702", }, { name: "1041294", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1041294", }, { name: "RHSA-2017:2810", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "RHSA-2017:1801", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { name: "RHSA-2017:2889", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "RHSA-2017:2635", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2635", }, { name: "RHSA-2017:2638", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2638", }, { name: "RHSA-2017:1417", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1417", }, { name: "RHSA-2017:2423", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2423", }, { name: "RHSA-2017:2808", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "1040200", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040200", }, { name: "RHSA-2017:2636", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2636", }, { name: "RHSA-2017:3399", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3399", }, { name: "RHSA-2017:2637", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2637", }, { name: "RHSA-2017:3244", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3244", }, { name: "RHSA-2017:3400", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3400", }, { name: "RHSA-2017:2633", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2633", }, { name: "RHSA-2017:2811", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { name: "RHSA-2017:1802", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { name: "RHSA-2019:1545", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "[logging-dev] 20191215 Re: Is there any chance that there will be a security fix for log4j-v1.2.17?", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc%40%3Cdev.logging.apache.org%3E", }, { name: "[logging-dev] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", }, { name: "[oss-security] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { name: "[announce] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", }, { name: "[logging-dev] 20191219 Re: [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9%40%3Cdev.logging.apache.org%3E", }, { name: "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3Cissues.activemq.apache.org%3E", }, { name: "[logging-commits] 20200425 svn commit: r1059809 - /websites/production/logging/content/log4j/2.13.2/security.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d%40%3Ccommits.logging.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, { name: "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3Cissues.activemq.apache.org%3E", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5594: [FE][Bug]Update log4j-web to fix a security issue", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422%40%3Ccommits.doris.apache.org%3E", }, { name: "[beam-issues] 20210528 [jira] [Created] (BEAM-12422) Vendored gRPC 1.36.0 is using a log4j version with security issues", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287%40%3Cissues.beam.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik opened a new pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] edited a comment on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] suztomo commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44%40%3Cgithub.beam.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2017-5645", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Log4j", version: { version_data: [ { version_value: "All versions between 2.0-alpha1 and 2.8.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Remote Code Execution.", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2017:2888", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:2809", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "97702", refsource: "BID", url: "http://www.securityfocus.com/bid/97702", }, { name: "1041294", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1041294", }, { name: "RHSA-2017:2810", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "RHSA-2017:1801", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { name: "RHSA-2017:2889", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "RHSA-2017:2635", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2635", }, { name: "RHSA-2017:2638", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2638", }, { name: "RHSA-2017:1417", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1417", }, { name: "RHSA-2017:2423", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2423", }, { name: "RHSA-2017:2808", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "1040200", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040200", }, { name: "RHSA-2017:2636", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2636", }, { name: "RHSA-2017:3399", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3399", }, { name: "RHSA-2017:2637", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2637", }, { name: "RHSA-2017:3244", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3244", }, { name: "RHSA-2017:3400", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3400", }, { name: "RHSA-2017:2633", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2633", }, { name: "RHSA-2017:2811", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { name: "RHSA-2017:1802", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { name: "RHSA-2019:1545", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", }, { name: "[logging-dev] 20191215 Re: Is there any chance that there will be a security fix for log4j-v1.2.17?", refsource: "MLIST", url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc@%3Cdev.logging.apache.org%3E", }, { name: "[logging-dev] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", refsource: "MLIST", url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125@%3Cdev.logging.apache.org%3E", }, { name: "[oss-security] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { name: "[announce] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", refsource: "MLIST", url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917@%3Cannounce.apache.org%3E", }, { name: "[logging-dev] 20191219 Re: [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", refsource: "MLIST", url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9@%3Cdev.logging.apache.org%3E", }, { name: "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E", }, { name: "[logging-commits] 20200425 svn commit: r1059809 - /websites/production/logging/content/log4j/2.13.2/security.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d@%3Ccommits.logging.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { name: "https://security.netapp.com/advisory/ntap-20181107-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { name: "https://security.netapp.com/advisory/ntap-20180726-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { name: "https://issues.apache.org/jira/browse/LOG4J2-1863", refsource: "CONFIRM", url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, { name: "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5594: [FE][Bug]Update log4j-web to fix a security issue", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422@%3Ccommits.doris.apache.org%3E", }, { name: "[beam-issues] 20210528 [jira] [Created] (BEAM-12422) Vendored gRPC 1.36.0 is using a log4j version with security issues", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287@%3Cissues.beam.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8@%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik opened a new pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83@%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd@%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] edited a comment on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f@%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] suztomo commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44@%3Cgithub.beam.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-5645", datePublished: "2017-04-17T21:00:00", dateReserved: "2017-01-29T00:00:00", dateUpdated: "2024-08-05T15:11:47.391Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2016-4437
Vulnerability from cvelistv5
Published
2016-06-07 14:00
Modified
2025-02-07 13:29
Severity ?
EPSS score ?
Summary
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2016-2035.html | vendor-advisory, x_refsource_REDHAT | |
| https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html | x_refsource_MISC | |
| http://rhn.redhat.com/errata/RHSA-2016-2036.html | vendor-advisory, x_refsource_REDHAT | |
| http://www.securityfocus.com/bid/91024 | vdb-entry, x_refsource_BID | |
| http://www.securityfocus.com/archive/1/538570/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T00:32:24.897Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2016-4437", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-07T13:29:14.189192Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2021-11-03", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2016-4437", }, type: "kev", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-321", description: "CWE-321 Use of Hard-coded Cryptographic Key", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-07T13:29:17.376Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-06-03T00:00:00.000Z", descriptions: [ { lang: "en", value: "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-04-29T17:06:16.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2016:2035", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-4437", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2035", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { name: "[announcements@aurora.apache.org] 20171101 Apache Aurora information disclosure vulnerability", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E", }, { name: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { name: "RHSA-2016:2036", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { name: "91024", refsource: "BID", url: "http://www.securityfocus.com/bid/91024", }, { name: "20160603 [Announce] CVE-2016-4437: Apache Shiro information disclosure vulnerability", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { name: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-4437", datePublished: "2016-06-07T14:00:00.000Z", dateReserved: "2016-05-02T00:00:00.000Z", dateUpdated: "2025-02-07T13:29:17.376Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-0204
Vulnerability from cvelistv5
Published
2019-03-25 21:43
Modified
2024-08-04 17:44
Severity ?
EPSS score ?
Summary
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E | mailing-list, x_refsource_MLIST | |
| http://www.securityfocus.com/bid/107605 | vdb-entry, x_refsource_BID | |
| https://access.redhat.com/errata/RHSA-2019:3892 | vendor-advisory, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache | Apache Mesos |
Version: pre-1.4.x Version: 1.4.0 to 1.4.2 Version: 1.5.0 to 1.5.2 Version: 1.6.0 to 1.6.1 Version: 1.7.0 to 1.7.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T17:44:14.728Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E", }, { name: "107605", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/107605", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Mesos", vendor: "Apache", versions: [ { status: "affected", version: "pre-1.4.x", }, { status: "affected", version: "1.4.0 to 1.4.2", }, { status: "affected", version: "1.5.0 to 1.5.2", }, { status: "affected", version: "1.6.0 to 1.6.1", }, { status: "affected", version: "1.7.0 to 1.7.1", }, ], }, ], datePublic: "2019-03-23T00:00:00", descriptions: [ { lang: "en", value: "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.", }, ], problemTypes: [ { descriptions: [ { description: "Other", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-11-14T23:06:47", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E", }, { name: "107605", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/107605", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2019-0204", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Mesos", version: { version_data: [ { version_value: "pre-1.4.x", }, { version_value: "1.4.0 to 1.4.2", }, { version_value: "1.5.0 to 1.5.2", }, { version_value: "1.6.0 to 1.6.1", }, { version_value: "1.7.0 to 1.7.1", }, ], }, }, ], }, vendor_name: "Apache", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Other", }, ], }, ], }, references: { reference_data: [ { name: "[mesos-dev] 20190323 CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E", }, { name: "107605", refsource: "BID", url: "http://www.securityfocus.com/bid/107605", }, { name: "RHSA-2019:3892", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3892", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2019-0204", datePublished: "2019-03-25T21:43:04", dateReserved: "2018-11-14T00:00:00", dateUpdated: "2024-08-04T17:44:14.728Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2019-11-25 11:15
Modified
2024-11-21 04:18
Severity ?
Summary
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2020:0481 | Vendor Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2020:0727 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20220210-0018/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2020:0481 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2020:0727 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220210-0018/ | Third Party Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*", matchCriteriaId: "EC18B2E6-CC6C-4CA3-9947-C18197CA22C5", versionEndExcluding: "8.2.12", vulnerable: true, }, { criteria: "cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*", matchCriteriaId: "D776F69C-45D9-4CE6-94AB-1E13AB796677", versionEndExcluding: "9.4.17", versionStartIncluding: "9.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*", matchCriteriaId: "2BF03A52-4068-47EA-8846-1E5FB708CE1A", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", matchCriteriaId: "ADB40F59-CAAE-47D6-850C-12619D8D5B34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.", }, { lang: "es", value: "Se encontró una vulnerabilidad en Infinispan, de modo que el método invokeAccessibly de la clase pública ReflectionUtil permite que cualquier clase de aplicación invoque métodos privados en cualquier clase con los privilegios de Infinispan. El atacante puede usar la reflexión para introducir un nuevo comportamiento malicioso en la aplicación.", }, ], id: "CVE-2019-10174", lastModified: "2024-11-21T04:18:34.940", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.6, impactScore: 5.9, source: "secalert@redhat.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-11-25T11:15:10.823", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0481", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0018/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0481", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10174", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0018/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-470", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-470", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-11-08 15:15
Modified
2024-11-21 04:27
Severity ?
Summary
It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2019:3892 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14860 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2019:3892 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14860 | Issue Tracking, Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:*:*:*:*:*:*:*:*", matchCriteriaId: "8C11ECD7-B276-473A-A3F9-464680746BA7", versionEndExcluding: "7.5.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:syndesis:-:*:*:*:*:*:*:*", matchCriteriaId: "9D44C0BF-9C15-4256-8AA8-8E154A4F407C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.", }, { lang: "es", value: "Se detectó que la configuración de Syndesis para Cross-Origin Resource Sharing fue establecida para permitir todos los orígenes. Un atacante podría utilizar esta falta de protección para conducir ataques de phishing y acceder aún más a información no autorizada.", }, ], id: "CVE-2019-14860", lastModified: "2024-11-21T04:27:31.077", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 4, source: "secalert@redhat.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-11-08T15:15:11.673", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14860", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14860", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-942", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-05-27 19:15
Modified
2024-11-21 04:55
Severity ?
Summary
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1814974 | Issue Tracking, Patch, Vendor Advisory | |
| secalert@redhat.com | https://github.com/quarkusio/quarkus/issues/7248 | Exploit, Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://issues.redhat.com/browse/RESTEASY-2519 | Issue Tracking, Permissions Required, Vendor Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20210706-0008/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1814974 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/quarkusio/quarkus/issues/7248 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.redhat.com/browse/RESTEASY-2519 | Issue Tracking, Permissions Required, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210706-0008/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | fuse | 1.0 | |
| redhat | jboss_enterprise_application_platform | - | |
| redhat | openshift_application_runtimes | - | |
| redhat | resteasy | * | |
| redhat | resteasy | * | |
| redhat | jboss_enterprise_application_platform | 7.3 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | jboss_enterprise_application_platform | 7.4 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", matchCriteriaId: "ADB40F59-CAAE-47D6-850C-12619D8D5B34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", matchCriteriaId: "C93D5599-3FD3-4285-8366-3790048C542D", versionEndExcluding: "3.11.1", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", matchCriteriaId: "546D0E74-C88A-446F-B317-745350DC3C8A", versionEndExcluding: "4.5.3", versionStartIncluding: "4.5.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.", }, { lang: "es", value: "Se encontró un fallo de tipo cross-site scripting (XSS) en RESTEasy en versiones anteriores a 3.11.1.Final y anteriores a 4.5.3.Final, donde no manejaba apropiadamente la codificación de URL cuando ocurre la excepción RESTEASY003870. Un atacante podría usar este fallo para lanzar un ataque XSS reflejado", }, ], id: "CVE-2020-10688", lastModified: "2024-11-21T04:55:51.450", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-05-27T19:15:07.643", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1814974", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/quarkusio/quarkus/issues/7248", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Permissions Required", "Vendor Advisory", ], url: "https://issues.redhat.com/browse/RESTEASY-2519", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210706-0008/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1814974", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/quarkusio/quarkus/issues/7248", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Permissions Required", "Vendor Advisory", ], url: "https://issues.redhat.com/browse/RESTEASY-2519", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20210706-0008/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2020-05-26 16:15
Modified
2024-11-21 04:55
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20220210-0014/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220210-0014/ | Third Party Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", matchCriteriaId: "442A396E-2B33-4054-9917-A6041ECCD9D0", versionEndExcluding: "2.1.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_insight:*:*:*:*:*:*:*:*", matchCriteriaId: "DED090C2-2AB7-413E-8F55-75EF394AA36A", versionEndExcluding: "7.3.13", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", matchCriteriaId: "ADB40F59-CAAE-47D6-850C-12619D8D5B34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.", }, { lang: "es", value: "Se detectó un fallo en Undertow en versiones anteriores a 2.1.1.Final, con respecto al procesamiento de peticiones HTTP no válidas con tamaños de fragmentos grandes. Este fallo permite a un atacante tomar ventaja del tráfico no autorizado de peticiones HTTP.", }, ], id: "CVE-2020-10719", lastModified: "2024-11-21T04:55:55.363", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-05-26T16:15:12.180", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0014/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0014/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-444", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-444", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-05-24 19:15
Modified
2024-11-21 06:21
Severity ?
Summary
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1970930 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20220804-0003/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1970930 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20220804-0003/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | fuse | 1.0 | |
| redhat | jboss_enterprise_application_platform | - | |
| redhat | openshift_application_runtimes | - | |
| redhat | single_sign-on | - | |
| redhat | undertow | * | |
| redhat | undertow | * | |
| redhat | undertow | 2.0.35 | |
| redhat | undertow | 2.0.36 | |
| redhat | undertow | 2.0.39 | |
| redhat | undertow | 2.2.6 | |
| redhat | undertow | 2.2.7 | |
| redhat | undertow | 2.2.9 | |
| redhat | jboss_enterprise_application_platform | 7.3 | |
| redhat | jboss_enterprise_application_platform | 7.4 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | oncommand_insight | - | |
| netapp | oncommand_workflow_automation | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", matchCriteriaId: "ADB40F59-CAAE-47D6-850C-12619D8D5B34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", matchCriteriaId: "1BAD876A-2A44-4217-AD8E-723F6C659D6B", versionEndExcluding: "2.0.35", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", matchCriteriaId: "F9364241-A687-4277-BD0A-23875980F7BA", versionEndExcluding: "2.2.6", versionStartIncluding: "2.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:2.0.35:-:*:*:*:*:*:*", matchCriteriaId: "1606D630-BD33-4D6C-AB09-E21567B9DAD7", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:2.0.36:-:*:*:*:*:*:*", matchCriteriaId: "4F6461F3-EE16-4F87-BB63-BF76458B7B57", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:2.0.39:-:*:*:*:*:*:*", matchCriteriaId: "600AB6B3-6091-49DF-AA7D-E4400F69D61F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:2.2.6:-:*:*:*:*:*:*", matchCriteriaId: "BA47D051-72D8-4AA8-90FA-04B8CA1C9FE5", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:2.2.7:-:*:*:*:*:*:*", matchCriteriaId: "8BEC107E-11EE-497D-834C-CCF5921C0CE1", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:2.2.9:-:*:*:*:*:*:*", matchCriteriaId: "A1530774-1A8C-46D0-85BE-AC1A9CA0071E", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.", }, { lang: "es", value: "Se ha encontrado un fallo en Undertow. El HTTP2SourceChannel no escribe la última trama en algunas circunstancias, resultando en una denegación de servicio. La mayor amenaza de esta vulnerabilidad es la disponibilidad. Este fallo afecta a Undertow versiones anteriores a 2.0.35.SP1, anteriores a 2.2.6.SP1, anteriores a 2.2.7.SP1, anteriores a 2.0.36.SP1, anteriores a 2.2.9.Final y anteriores a 2.0.39.Final", }, ], id: "CVE-2021-3597", lastModified: "2024-11-21T06:21:56.077", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 4.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-24T19:15:09.037", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1970930", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220804-0003/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1970930", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220804-0003/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-362", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-362", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-14 15:15
Modified
2024-11-21 07:38
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*", matchCriteriaId: "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*", matchCriteriaId: "68146098-58F8-417E-B165-5182527117C4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "0F31D7E8-D31D-4268-9ABF-3733915AA226", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", matchCriteriaId: "B87C8AD3-8878-4546-86C2-BF411876648C", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*", matchCriteriaId: "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", matchCriteriaId: "0A24CBFB-4900-47A5-88D2-A44C929603DC", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", matchCriteriaId: "ADB40F59-CAAE-47D6-850C-12619D8D5B34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", matchCriteriaId: "C52600BF-9E87-4CD2-91F3-685AFE478C1E", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "20A6B40D-F991-4712-8E30-5FE008505CB7", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", matchCriteriaId: "ADFD3441-27E7-4993-9EB5-586534A49865", versionEndExcluding: "2.2.24", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", matchCriteriaId: "8326F4BF-F0AB-43A1-BF97-FC5889EEA2EB", versionEndExcluding: "2.3.5", versionStartIncluding: "2.3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*", matchCriteriaId: "EA983F8C-3A06-450A-AEFF-9429DE9A3454", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", matchCriteriaId: "40449571-22F8-44FA-B57B-B43F71AB25E2", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*", matchCriteriaId: "B02036DD-4489-480B-B7D4-4EB08952377B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*", matchCriteriaId: "C7E78C55-45B6-4E01-9773-D3468F8EA9C3", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*", matchCriteriaId: "30E2CF79-2D56-48AB-952E-5DDAFE471073", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*", matchCriteriaId: "54E24055-813B-4E6D-94B7-FAD5F78B8537", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*", matchCriteriaId: "2DEC61BC-E699-456E-99B6-C049F2A5F23F", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.", }, { lang: "es", value: "Se encontró una falla en undertow. Este problema hace posible lograr una denegación de servicio debido a un estado de protocolo de enlace inesperado actualizado en SslConduit, donde el bucle nunca termina", }, ], id: "CVE-2023-1108", lastModified: "2024-11-21T07:38:28.330", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-14T15:15:08.293", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1184", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1185", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1512", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1513", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1514", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1516", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2023:2135", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3883", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3884", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3885", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3888", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3892", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:4612", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-1108", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { source: "secalert@redhat.com", url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20231020-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1184", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1185", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1512", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1513", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1514", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1516", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2023:2135", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3883", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3884", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3885", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3892", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:3954", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:4612", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-1108", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2174246", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://github.com/advisories/GHSA-m4mm-pg93-fv78", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20231020-0002/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-835", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-835", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2015-02-17 15:59
Modified
2025-04-12 10:46
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| elastic | elasticsearch | * | |
| elastic | elasticsearch | * | |
| redhat | fuse | 1.0.0 |
{ cisaActionDue: "2022-04-15", cisaExploitAdd: "2022-03-25", cisaRequiredAction: "Apply updates per vendor instructions.", cisaVulnerabilityName: "Elasticsearch Groovy Scripting Engine Remote Code Execution Vulnerability", configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", matchCriteriaId: "DA519AE4-05D4-4C0A-81F0-95C50B51DAEA", versionEndExcluding: "1.3.8", vulnerable: true, }, { criteria: "cpe:2.3:a:elastic:elasticsearch:*:*:*:*:*:*:*:*", matchCriteriaId: "F148EDE6-303D-4F26-B88D-D379BC003B42", versionEndExcluding: "1.4.3", versionStartIncluding: "1.4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "0F31D7E8-D31D-4268-9ABF-3733915AA226", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.", }, { lang: "es", value: "El motor de secuencias de comandos Groovy en Elasticsearch anterior a 1.3.8 y 1.4.x anterior a 1.4.3 permite a atacantes remotos evadir el mecanismo de protección de sandbox y ejecutar comandos de shell arbitrarios a través de una secuencia de comandos manipulada.", }, ], id: "CVE-2015-1427", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2015-02-17T15:59:04.560", references: [ { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html", }, { source: "cve@mitre.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html", }, { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/archive/1/534689/100/0/threaded", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/72585", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:0868", }, { source: "cve@mitre.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/100850", }, { source: "cve@mitre.org", tags: [ "Not Applicable", "Vendor Advisory", ], url: "https://www.elastic.co/community/security/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/130368/Elasticsearch-1.3.7-1.4.2-Sandbox-Escape-Command-Execution.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/130784/ElasticSearch-Unauthenticated-Remote-Code-Execution.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://www.elasticsearch.com/blog/elasticsearch-1-4-3-1-3-8-released/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/archive/1/534689/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/72585", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:0868", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/100850", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Not Applicable", "Vendor Advisory", ], url: "https://www.elastic.co/community/security/", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-11-08 15:15
Modified
2024-11-21 04:18
Severity ?
Summary
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:hibernate_validator:*:*:*:*:*:*:*:*", matchCriteriaId: "552F082C-38E5-49A9-A451-71B6ECAF21B2", versionEndExcluding: "6.0.18", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha1:*:*:*:*:*:*", matchCriteriaId: "A82A1C19-F8AE-4DA9-891D-247F07D57605", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha2:*:*:*:*:*:*", matchCriteriaId: "E38B943A-B167-4EAD-9308-47FF525BE57A", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha3:*:*:*:*:*:*", matchCriteriaId: "6766965C-2991-4559-975B-9E864DF8F10D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha4:*:*:*:*:*:*", matchCriteriaId: "E6CD7403-23C7-488F-84EC-1F0C675E87D3", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha5:*:*:*:*:*:*", matchCriteriaId: "A0033893-4CA9-41F4-8FF0-3BE20F5BE1C4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:hibernate_validator:6.1.0:alpha6:*:*:*:*:*:*", matchCriteriaId: "EEB7C69E-FA13-43AB-89AD-FE1E4687E02A", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*", matchCriteriaId: "2BF03A52-4068-47EA-8846-1E5FB708CE1A", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", matchCriteriaId: "ADB40F59-CAAE-47D6-850C-12619D8D5B34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:*:*:*:*:*:*:*", matchCriteriaId: "FDAC85F0-93AF-4BE3-AE1A-8ADAF1CDF9AB", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "DC01D8F3-291A-44E5-99C1-6771F6656E0E", vulnerable: true, }, { criteria: "cpe:2.3:o:netapp:element:-:*:*:*:*:vcenter_server:*:*", matchCriteriaId: "5E1DE4F5-9094-4C73-AA1B-5C902F38DD24", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "8DEAFEDC-2D0F-4A5F-99A0-BD41DD6DC017", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "A287FA5D-D7D9-40B4-8DB2-1D7CE1808408", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:access_manager:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "20EB3430-0FF2-4668-BB20-A5611ACC73F6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "80C9DBB8-3D50-4D5D-859A-B022EB7C2E64", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", matchCriteriaId: "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*", matchCriteriaId: "432BFCF5-A5DC-487C-A111-DE70AB3FCDAC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*", matchCriteriaId: "5B62CB3B-FDDF-4AFF-A47E-6ADE6504D451", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:airlines_data_model:12.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "06480458-3216-4C42-9270-F68A41EEC147", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:airlines_data_model:12.2.0.1.0:*:*:*:*:*:*:*", matchCriteriaId: "480BF1CB-11D7-4D86-A99E-960F316F2E1B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_express:21.1.4:*:*:*:*:*:*:*", matchCriteriaId: "BB124AD9-8000-449B-8219-0FF011F86B03", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_performance_management:13.4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "F84E5662-0289-4ED5-A112-BC506508216C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_performance_management:13.5.1.0:*:*:*:*:*:*:*", matchCriteriaId: "AD312681-73A4-4B21-BDE8-50DED7E3E0CF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A125E817-F974-4509-872C-B71933F42AD1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_analytics:8.2.1:*:*:*:*:*:*:*", matchCriteriaId: "BC3D0C4E-0B40-4ACF-BD9E-104CC1D77521", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_analytics:8.2.2:*:*:*:*:*:*:*", matchCriteriaId: "E67940FD-3BA7-40A8-8E40-44B37D23E2DE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_analytics:8.2.3:*:*:*:*:*:*:*", matchCriteriaId: "EE6EB4DE-33DA-4810-96BD-29C82B433714", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_analytics:8.21:*:*:*:*:*:*:*", matchCriteriaId: "0C446826-EF5B-4937-ADB4-1102F9F39304", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_insight:8.2.1:*:*:*:*:*:*:*", matchCriteriaId: "F7FCB446-49A7-48B9-8808-E72A4E2E48C7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_insight:8.2.2:*:*:*:*:*:*:*", matchCriteriaId: "9E9B2F53-257E-49E2-83C3-0840BDB4D67C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_insight:8.2.3:*:*:*:*:*:*:*", matchCriteriaId: "6CF34B1B-0FC0-4EA6-830D-D2191337D451", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_safety:8.2.1:*:*:*:*:*:*:*", matchCriteriaId: "09B79608-5D94-45C3-ADF0-B181B92C3014", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_safety:8.2.2:*:*:*:*:*:*:*", matchCriteriaId: "9F05D844-38BD-4EEB-AF91-E5ED18B1E7E8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:argus_safety:8.2.3:*:*:*:*:*:*:*", matchCriteriaId: "25193811-46CE-4A0E-B22D-67BE99FAD450", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:18.1:*:*:*:*:*:*:*", matchCriteriaId: "869D51B3-FB50-4BD6-8A0C-D0984267525F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:18.2:*:*:*:*:*:*:*", matchCriteriaId: "08B8F413-2000-493B-82B1-BEFE343BB8C4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*", matchCriteriaId: "042269E6-D3B4-4867-86FA-9301FACA9FF2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*", matchCriteriaId: "CF34B11F-3DE1-4C22-8EB1-AEE5CE5E4172", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*", matchCriteriaId: "86F03B63-F922-45CD-A7D1-326DB0042875", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*", matchCriteriaId: "7CBFC93F-8B39-45A2-981C-59B187169BD4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*", matchCriteriaId: "0843465C-F940-4FFC-998D-9A2668B75EA0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.12.0:*:*:*:*:*:*:*", matchCriteriaId: "1F834ACC-D65B-4CA3-91F1-415CBC6077E2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:17.2:*:*:*:*:*:*:*", matchCriteriaId: "560F20E6-AEA1-4CE5-A393-C9B2CF334C5C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*", matchCriteriaId: "BBE7BF09-B89C-4590-821E-6C0587E096B5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*", matchCriteriaId: "E7231D2D-4092-44F3-B60A-D7C9ED78AFDF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*", matchCriteriaId: "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*", matchCriteriaId: "18127694-109C-4E7E-AE79-0BA351849291", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*", matchCriteriaId: "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*", matchCriteriaId: "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "E60C0966-BF0D-4D18-B09B-5D0BB96DBFF3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*", matchCriteriaId: "E0FCD3BC-33D8-49D1-844B-6B9DE0CA4997", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*", matchCriteriaId: "473749BD-267E-480F-8E7F-C762702DB66E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*", matchCriteriaId: "74C7E2F1-17FC-4322-A5C3-F7EB612BA4F5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*", matchCriteriaId: "320D36DA-D99F-4149-B582-3F4AB2F41A1B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_enterprise_default_managment:*:*:*:*:*:*:*:*", matchCriteriaId: "05E4EB25-7B7A-4A10-A535-8C7CA4D6FEB6", versionEndIncluding: "2.4.0", versionStartIncluding: "2.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_loans_servicing:2.12.0:*:*:*:*:*:*:*", matchCriteriaId: "5E502A46-BAF4-4558-BC8F-9F014A2FB26A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*", matchCriteriaId: "C542DC5E-6657-4178-9C69-46FD3C187D56", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*", matchCriteriaId: "6D0F559E-0790-461B-ACED-5B00F4D40893", versionEndIncluding: "2.4.1", versionStartIncluding: "2.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "132CE62A-FBFC-4001-81EC-35D81F73AF48", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*", matchCriteriaId: "282150FF-C945-4A3E-8A80-E8757A8907EA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*", matchCriteriaId: "645AA3D1-C8B5-4CD2-8ACE-31541FA267F0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:bi_publisher:5.5.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "5CD806C1-CC17-47BD-8BB0-9430C4253BC7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:bi_publisher:11.1.1.9.0:*:*:*:*:*:*:*", matchCriteriaId: "C83DA9A0-2EBC-4298-8412-1A7C4DC88C2B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "9DC56004-4497-4CDD-AE76-5E3DFAE170F0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "274A0CF5-41E8-42E0-9931-F7372A65B9C4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:big_data_spatial_and_graph:23.1:*:*:*:*:*:*:*", matchCriteriaId: "BEF828F5-C666-40DA-98DD-CDF658D7090B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_activity_monitoring:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "BA8461A2-428C-4817-92A9-0C671545698D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "D40AD626-B23A-44A3-A6C0-1FFB4D647AE4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "B602F9E8-1580-436C-A26D-6E6F8121A583", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "77C3DD16-1D81-40E1-B312-50FBD275507C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "81DAC8C0-D342-44B5-9432-6B88D389584F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "E869C417-C0E6-4FC3-B406-45598A1D1906", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "DFEFE2C0-7B98-44F9-B3AD-D6EC607E90DA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:clinical:5.2.1:*:*:*:*:*:*:*", matchCriteriaId: "4B2CEA84-0983-4C40-B923-99244ABCF32D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:clinical:5.2.2:*:*:*:*:*:*:*", matchCriteriaId: "2FD798A8-38B7-42C1-9043-863D16CE7ACA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*", matchCriteriaId: "2A3622F5-5976-4BBC-A147-FC8A6431EA79", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:commerce_platform:*:*:*:*:*:*:*:*", matchCriteriaId: "F012E976-E219-46C2-8177-60ED859594BE", versionEndIncluding: "11.3.2", versionStartIncluding: "11.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:*:*:*:*:*:*:*", matchCriteriaId: "787E2C1B-9BAD-4018-8495-E9BE75628BB8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3:*:*:*:*:*:*:*", matchCriteriaId: "B0111372-B39F-4B3D-8136-44C2C1CFD12B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.4:*:*:*:*:*:*:*", matchCriteriaId: "B465F237-0271-4389-8035-89C07A52350D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:*", matchCriteriaId: "5A9E4125-B744-4A9D-BFE6-5D82939958FD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:*", matchCriteriaId: "261212BD-125A-487F-97E8-A9587935DFE8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.5.0:*:*:*:*:*:*:*", matchCriteriaId: "4063FAD6-21D4-42C7-87C0-D299532E0982", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.6.0:*:*:*:*:*:*:*", matchCriteriaId: "F6E8A8C3-253A-4BDD-9AD2-4445DC387B4D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*", matchCriteriaId: "98FB24DB-AF91-48D0-9CA5-C8250D183FD5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.9.0:*:*:*:*:*:*:*", matchCriteriaId: "868E7C46-7E45-4CFA-8A25-7CBFED912096", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", matchCriteriaId: "B6B6FE82-7BFA-481D-99D6-789B146CA18B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "BC12B43F-30F6-4B05-AB3A-E91D8404D5A5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.9.0:*:*:*:*:*:*:*", matchCriteriaId: "5D423B62-8EFE-4EFD-A986-5F5ECE5B892F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "8E463039-5E48-4AA0-A42B-081053FA0111", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "4479F76A-4B67-41CC-98C7-C76B81050F8E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.5.0:*:*:*:*:*:*:*", matchCriteriaId: "DAEB09CA-9352-43CD-AF66-92BE416E039C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:*", matchCriteriaId: "45E5C9B0-AB25-4744-88E4-FD0C4A853001", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.15.0:*:*:*:*:*:*:*", matchCriteriaId: "A442DA9E-FF9A-4C51-9D3E-68D09C8BB472", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "0AB059F2-FEC4-4180-8A90-39965495055E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*", matchCriteriaId: "5A276784-877B-4A29-A8F1-70518A438A9A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_contacts_server:8.0.0.3.0:*:*:*:*:*:*:*", matchCriteriaId: "59275C23-53C0-4890-A941-A71226B50CFB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*", matchCriteriaId: "0535B116-57D6-4448-86A2-09BCE50894B8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "7DF939F5-C0E1-40A4-95A2-0CE7A03AB4EE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_convergent_charging_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "0172500D-DE51-44E0-91E8-C8F36617C1F8", versionEndIncluding: "12.0.4.0.0", versionStartIncluding: "12.0.1.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_convergent_charging_controller:6.0.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E99E7D49-AE53-4D16-AB24-EBEAAD084289", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_data_model:11.3.2.1.0:*:*:*:*:*:*:*", matchCriteriaId: "69C215AB-25B4-47A6-AD6A-A60D2C0FF72F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_data_model:11.3.2.2.0:*:*:*:*:*:*:*", matchCriteriaId: "8E77E48F-1521-4C89-A5D0-A7F0A8D21AD1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_data_model:11.3.2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "6F88A2F3-E201-4C68-8D11-0A5C76CDB071", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_data_model:12.1.0.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CBD877F8-E6EF-4314-AAC0-36F81F4908DF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_data_model:12.1.2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "3D7356B6-E197-4978-BF18-2CFD4D350A76", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_design_studio:7.3.4:*:*:*:*:*:*:*", matchCriteriaId: "93BE4838-1144-4A6A-ABDB-F2766E64C91C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*", matchCriteriaId: "1B54457C-8305-4F82-BE1E-DBA030A8E676", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_design_studio:7.4.0:*:*:*:*:*:*:*", matchCriteriaId: "C756C62B-E655-4770-8E85-B1995889E416", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_design_studio:7.4.1:*:*:*:*:*:*:*", matchCriteriaId: "93F65B4C-59D5-450A-9955-7FDA32252B0F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_design_studio:7.4.2:*:*:*:*:*:*:*", matchCriteriaId: "A67AA54B-258D-4D09-9ACB-4085E0B3E585", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_route:*:*:*:*:*:*:*:*", matchCriteriaId: "A6BD600E-F3E9-40CE-9414-1D4506ACC1D8", versionEndIncluding: "8.5.1.0", versionStartIncluding: "8.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_eagle_application_processor:*:*:*:*:*:*:*:*", matchCriteriaId: "95A3E946-BBD5-4BCB-B864-FB3BF5DE56D0", versionEndIncluding: "16.4", versionStartIncluding: "16.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*", matchCriteriaId: "C4A94B36-479F-48F2-9B9E-ACEA2589EF48", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*", matchCriteriaId: "46E23F2E-6733-45AF-9BD9-1A600BD278C8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*", matchCriteriaId: "E812639B-EE28-4C68-9F6F-70C8BF981C86", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", matchCriteriaId: "E1214FDF-357A-4BB9-BADE-50FB2BD16D10", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*", matchCriteriaId: "64BCB9E3-883D-4C1F-9785-2E182BA47B5B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_network_charging_and_control:*:*:*:*:*:*:*:*", matchCriteriaId: "26940103-F37C-4FBD-BDFD-528A497209D6", versionEndIncluding: "12.0.4.0.0", versionStartIncluding: "12.0.1.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_network_charging_and_control:6.0.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "EB9047B1-DA8C-4BFD-BE41-728BD7ECF3E6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_network_integrity:7.3.5:*:*:*:*:*:*:*", matchCriteriaId: "FB92D8A7-2ABD-4B70-A32C-4B6B866C5B8B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*", matchCriteriaId: "B21E6EEF-2AB7-4E96-B092-1F49D11B4175", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:*", matchCriteriaId: "A23B00C1-878A-4B55-B87B-EFFFA6A5E622", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*", matchCriteriaId: "D52F557F-D0A0-43D3-85F1-F10B6EBFAEDF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_operations_monitor:4.2:*:*:*:*:*:*:*", matchCriteriaId: "F545DFC9-F331-4E1D-BACB-3D26873E5858", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*", matchCriteriaId: "CBE1A019-7BB6-4226-8AC4-9D6927ADAEFA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*", matchCriteriaId: "B98BAEB2-A540-4E8A-A946-C4331B913AFD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*", matchCriteriaId: "B8FBE260-E306-4215-80C0-D2D27CA43E0F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*", matchCriteriaId: "D7B49D71-6A31-497A-B6A9-06E84F086E7A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*", matchCriteriaId: "A28F42F0-FBDA-4574-AD30-7A04F27FEA3E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_service_broker:6.2:*:*:*:*:*:*:*", matchCriteriaId: "E6235EAE-47DD-4292-9941-6FF8D0A83843", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*", matchCriteriaId: "062E4E7C-55BB-46F3-8B61-5A663B565891", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:8.2:*:*:*:*:*:*:*", matchCriteriaId: "2B9F6415-2950-49FE-9CAF-8BCA4DB6DF4B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:8.3:*:*:*:*:*:*:*", matchCriteriaId: "C05190B9-237F-4E2E-91EA-DB1B738864AD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:8.4:*:*:*:*:*:*:*", matchCriteriaId: "9C416FD3-2E2F-4BBC-BD5F-F896825883F4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_session_border_controller:9.0:*:*:*:*:*:*:*", matchCriteriaId: "D886339E-EDB2-4879-BD54-1800E4CA9CAE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.0:*:*:*:*:*:*:*", matchCriteriaId: "05AD47CC-8A6D-4AEC-B23E-701D3D649CC6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*", matchCriteriaId: "0D299528-8EF0-49AF-9BDE-4B6C6B1DA36C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*", matchCriteriaId: "17A91FD9-9F77-42D3-A4D9-48BC7568ADE1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*", matchCriteriaId: "539DA24F-E3E0-4455-84C6-A9D96CD601B3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*", matchCriteriaId: "A7637F8B-15F1-42E2-BE18-E1FF7C66587D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*", matchCriteriaId: "E43D793A-7756-4D58-A8ED-72DC4EC9CEA7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_unified_inventory_management:7.5.0:*:*:*:*:*:*:*", matchCriteriaId: "0EBC7EB1-FD72-4BFC-92CC-7C8B8E462D7C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2.0:*:*:*:*:*:*:*", matchCriteriaId: "6814B606-D054-433C-A46E-0F6E338E1C46", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2.1:*:*:*:*:*:*:*", matchCriteriaId: "1F05AF4B-A747-4314-95AE-F8495479AB3E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "9901F6BA-78D5-45B8-9409-07FF1C6DDD38", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "9FADE563-5AAA-42FF-B43F-35B20A2386C9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:database_server:12.1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "5A7D10EB-D98F-4B80-AB9F-D8A9FC813E1C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:database_server:12.1.0.2:*:*:*:*:*:*:*", matchCriteriaId: "4F3D40B7-925C-413D-AFF3-60BF330D5BC2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*:*:*", matchCriteriaId: "B2204841-585F-40C7-A1D9-C34E612808CA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:database_server:21c:*:*:*:*:*:*:*", matchCriteriaId: "BDB96A21-161F-42A9-9402-FABEC9C0C15A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:demantra_demand_management:*:*:*:*:*:*:*:*", matchCriteriaId: "132DE874-6E47-452A-9FDD-27D5A41F046E", versionEndIncluding: "12.2.11", versionStartIncluding: "12.2.6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:documaker:*:*:*:*:*:*:*:*", matchCriteriaId: "135D531C-A692-4BE3-AB8C-37BB0D35559A", versionEndIncluding: "12.6.4", versionStartIncluding: "12.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:*", matchCriteriaId: "7E6DF81E-E392-49E5-ADF4-510A3737A5CE", versionEndIncluding: "12.2.11", versionStartIncluding: "12.2.3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_communications_broker:3.3:*:*:*:*:*:*:*", matchCriteriaId: "4BE83BC6-5A6F-40A1-AAC7-314A575D8E07", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "36CF85A9-2C29-46E7-961E-8ADD0B5822CF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "E80555C7-DA1C-472C-9467-19554DCE4476", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "D26F3E23-F1A9-45E7-9E5F-0C0A24EE3783", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6E8758C8-87D3-450A-878B-86CE8C9FC140", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B095CC03-7077-4A58-AB25-CC5380CDCE5A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*", matchCriteriaId: "7015A8CB-8FA6-423E-8307-BD903244F517", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:*", matchCriteriaId: "F9A4E206-56C7-4578-AC9C-088B0C8D9CFE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*", matchCriteriaId: "C78A7E07-AB08-46C5-942D-B40BBE0C0D06", versionEndExcluding: "11.1.2.4.47", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:essbase:*:*:*:*:*:*:*:*", matchCriteriaId: "3197F464-F0A5-4BD4-9068-65CD448D8F4C", versionEndExcluding: "21.3", versionStartIncluding: "21.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:essbase:11.1.2.4.47:*:*:*:*:*:*:*", matchCriteriaId: "809FD6D6-D05D-4387-A725-F707015DEFBB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:essbase_administration_services:*:*:*:*:*:*:*:*", matchCriteriaId: "A093A76C-4B2C-4FAD-BFDF-09862F831102", versionEndExcluding: "11.1.2.4.47", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:essbase_administration_services:11.1.2.4.47:*:*:*:*:*:*:*", matchCriteriaId: "1A1277A9-C49C-4840-A118-986C10A07657", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "7EA4D3C5-6A7C-4421-88EF-445A96DBCE0C", versionEndIncluding: "8.1.1", versionStartIncluding: "8.0.7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:7.3.3:*:*:*:*:*:*:*", matchCriteriaId: "03B9F810-EF80-4551-BA6D-027B0B2A787D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.7:*:*:*:*:*:*:*", matchCriteriaId: "47B0A947-E4C8-4C04-AD3B-950E59DF7A0E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.8:*:*:*:*:*:*:*", matchCriteriaId: "1AC36036-07CE-4903-8FFB-445C6908F0CE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.0.11:*:*:*:*:*:*:*", matchCriteriaId: "435FDFA1-BF6A-499D-BDB6-88A26648DFD5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7:*:*:*:*:*:*:*", matchCriteriaId: "AB3F3F63-9543-4568-BCB1-1CAF88384142", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8:*:*:*:*:*:*:*", matchCriteriaId: "FC0C4CA4-1694-474E-8272-CF96E168D962", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.11:*:*:*:*:*:*:*", matchCriteriaId: "93E953D0-9C0C-4B03-9939-384A1F7E2BC9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.7:*:*:*:*:*:*:*", matchCriteriaId: "767CC73D-2771-4BBC-9D74-4416AEC6BB2E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.8:*:*:*:*:*:*:*", matchCriteriaId: "D33B68C6-2A4E-418C-A2BD-43A3CC5D1003", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_foreign_account_tax_compliance_act_management:8.0.11:*:*:*:*:*:*:*", matchCriteriaId: "DAE3EA23-045D-474C-ABD8-916930D4E9E7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*", matchCriteriaId: "0E8FD060-E9A8-499C-87B0-AF7BBED7771F", versionEndIncluding: "8.1.1", versionStartIncluding: "8.0.8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.7:*:*:*:enterprise:*:*:*", matchCriteriaId: "B57ECC6E-CC64-4DE7-B657-3BA54EDDFFF4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_trade-based_anti_money_laundering:8.0.8:*:*:*:enterprise:*:*:*", matchCriteriaId: "10BBAD37-51A1-4819-807B-2642E9D4A69C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*", matchCriteriaId: "B0A34DF8-72CC-4A8E-84F2-C2DF4A0B9FAB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*", matchCriteriaId: "21BE77B2-6368-470E-B9E6-21664D9A818A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*", matchCriteriaId: "3250073F-325A-4AFC-892F-F2005E3854A5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*", matchCriteriaId: "0DDDC9C2-33D6-4123-9ABC-C9B809A6E88E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:14.4.0:*:*:*:*:*:*:*", matchCriteriaId: "524429D6-8AF1-4713-A9B8-678B50A3762F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:14.5.0:*:*:*:*:*:*:*", matchCriteriaId: "ED21B958-0FD0-4697-9CE2-266DEE4E29DC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6762F207-93C7-4363-B2F9-7A7C6F8AF993", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*", matchCriteriaId: "1B74B912-152D-4F38-9FC1-741D6D0B27FC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "2177A5E9-B260-499E-8D60-920679518425", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "6329B1A2-75A8-4909-B4FB-77AC7232B6ED", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "EA86EF7E-6162-4244-9C88-7AF5CAB787E0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate:*:*:*:*:*:*:*:*", matchCriteriaId: "DE5EA810-3110-4343-9054-0FCFCD608C25", versionEndExcluding: "12.3.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate:*:*:*:*:*:*:*:*", matchCriteriaId: "78A48EA9-1CAB-4DD2-9DAD-0213F6EFC48C", versionEndExcluding: "19.1.0.0.220118", versionStartIncluding: "19.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate:*:*:*:*:*:*:*:*", matchCriteriaId: "71050E24-6915-4B5E-98ED-AFAA6C2FF38B", versionEndExcluding: "21.5.0.0.220118", versionStartIncluding: "21.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_application_adapters:19.1.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "E7BE0590-31BD-4FCD-B50E-A5F86196F99E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:20.3.4:*:*:*:enterprise:*:*:*", matchCriteriaId: "9F300E13-1B40-4B35-ACA5-4D402CD41055", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:21.3.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "B10E38A6-783C-45A2-98A1-12FA1EB3D3AA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:*", matchCriteriaId: "29312DB7-AFD2-459E-A166-95437ABED12C", versionEndExcluding: "21.4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_clinical_development_analytics:4.0.1:*:*:*:*:*:*:*", matchCriteriaId: "4E45ADE3-2A3D-4FCA-BCDF-D0CC6CE0A23C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_inform_crf_submit:6.2.1:*:*:*:*:*:*:*", matchCriteriaId: "AB8797ED-52E7-47B6-9F78-E2402671CCAC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.2:*:*:*:*:*:*:*", matchCriteriaId: "97C10FBE-FD9A-4739-9303-5B6FC7551D66", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.3:*:*:*:*:*:*:*", matchCriteriaId: "CF45C905-9EFF-4108-9B70-9FFDDD6627A6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_data_repository:7.0.2:*:*:*:*:*:*:*", matchCriteriaId: "E03F5DEF-DDD7-4C8C-90EF-7E4BCDEFE34B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*", matchCriteriaId: "66C673C4-A825-46C0-816B-103E1C058D03", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_data_repository:8.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BA92E70A-2249-4144-B0B8-35501159ADB3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_foundation:*:*:*:*:*:*:*:*", matchCriteriaId: "F88FB6C5-D797-4017-A285-D3BB24B55429", versionEndIncluding: "7.3.0.2", versionStartIncluding: "7.3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_foundation:*:*:*:*:*:*:*:*", matchCriteriaId: "D747A956-40A6-47D8-A813-FA4E13CB557F", versionEndIncluding: "8.0.2", versionStartIncluding: "8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*", matchCriteriaId: "E67501BE-206A-49FD-8CBA-22935DF917F1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_foundation:8.1.1:*:*:*:*:*:*:*", matchCriteriaId: "6F04B1BA-EA84-4AA3-B208-DECC33E192EC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_translational_research:4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "523391D8-CB84-4EBD-B337-6A99F52E537F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*", matchCriteriaId: "05F5B430-8BA1-4865-93B5-0DE89F424B53", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6:*:*:*:*:*:*:*", matchCriteriaId: "B0C177E1-66B8-4AB7-A3F0-B6CCDCC28F75", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*", matchCriteriaId: "FCBF2756-B831-4E6E-A15B-2A11DD48DB7C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_suite8:8.10.2:*:*:*:*:*:*:*", matchCriteriaId: "CBDA65DE-5727-49DC-8D50-DA81DB3E8841", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_suite8:8.11.0:*:*:*:*:*:*:*", matchCriteriaId: "A577DCD3-6730-441A-B3BD-6199483FB1E2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_suite8:8.12.0:*:*:*:*:*:*:*", matchCriteriaId: "577A07A9-DBB1-49E6-B2CC-60B917097472", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_suite8:8.13.0:*:*:*:*:*:*:*", matchCriteriaId: "D4833DCA-FC54-4F89-B2DF-8E39C9C49DF6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_suite8:8.14.0:*:*:*:*:*:*:*", matchCriteriaId: "AD7E9060-BA5B-4682-AC0D-EE5105AD0332", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "DFC79B17-E9D2-44D5-93ED-2F959E7A3D43", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "AD04BEE5-E9A8-4584-A68C-0195CE9C402C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hyperion_financial_management:11.1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "49706536-CE9B-4713-8460-CC961B50C341", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hyperion_financial_management:11.2.6.0:*:*:*:*:*:*:*", matchCriteriaId: "F6F77F79-5E93-4FC2-84F2-26AF52B4C08A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hyperion_ilearning:6.2:*:*:*:*:*:*:*", matchCriteriaId: "781049BF-3467-4DB5-89D4-6A76984E0261", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hyperion_ilearning:6.3:*:*:*:*:*:*:*", matchCriteriaId: "058F9FC3-CA81-43BF-B083-DA8BE388E00A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.7.0:*:*:*:*:*:*:*", matchCriteriaId: "52C13DE5-CA3C-414F-8813-BB0847433151", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", matchCriteriaId: "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", matchCriteriaId: "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*", matchCriteriaId: "7F69B9A5-F21B-4904-9F27-95C0F7A628E3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_data_gateway:11.0.2:*:*:*:*:*:*:*", matchCriteriaId: "BD4EE554-DFE7-4C16-BC98-574DC97FC85C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_data_gateway:11.1.0:*:*:*:*:*:*:*", matchCriteriaId: "EE4160ED-75F2-4499-AC6C-90CD092A46E1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_data_gateway:11.2.7:*:*:*:*:*:*:*", matchCriteriaId: "2F03BFDA-6904-42D7-8170-D6FD143BB16C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_data_gateway:11.3.0:*:*:*:*:*:*:*", matchCriteriaId: "32EE6974-6E2E-4DE8-9F2B-8FE0FCEFECFA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_data_gateway:11.3.1:*:*:*:*:*:*:*", matchCriteriaId: "C85900AC-11DA-4FA8-A1E0-270240BF4B0E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:*:*:*:*:*:*:*:*", matchCriteriaId: "87B4051B-EB98-4D10-99D9-F15B44DBC7F0", versionEndIncluding: "5.6.0", versionStartIncluding: "5.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2.0:*:*:*:*:*:*:*", matchCriteriaId: "428D2B1D-CFFD-49D1-BC05-2D85D22004DE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*", matchCriteriaId: "0F89EC4B-6D34-40F0-B7C6-C03D03F81C13", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*:*:*:*:*:*", matchCriteriaId: "00C9E689-ED91-4A9D-B9C0-5BF4EC131409", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:11.2.7:*:*:*:*:*:*:*", matchCriteriaId: "7EFA1879-0BF9-4493-9145-15100BC38C0A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:*", matchCriteriaId: "EF958C28-4289-4433-8CD9-B6551F01926F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*:*:*:*:*:*", matchCriteriaId: "57E9FC66-F6A0-4FB0-8D92-2C9B9E3F2184", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:*:*:*:*:*:*:*:*", matchCriteriaId: "48261B54-471D-4C03-AFF9-6F2EA8FA8EBB", versionEndIncluding: "11.3.0", versionStartIncluding: "11.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.0:*:*:*:*:*:*:*", matchCriteriaId: "64D4B80E-2B67-4BDC-9A3A-7BFDA171016A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2.4:*:*:*:*:*:*:*", matchCriteriaId: "33E0F28C-1FF3-4E12-AAE4-A765F4F81EC0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:11.0.2:*:*:*:*:*:*:*", matchCriteriaId: "9A570E5E-A3BC-4E19-BC44-C28D8BC9A537", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:*:*:*:*:*:*:*:*", matchCriteriaId: "5DEAB5CD-4223-4A43-AB9E-486113827A6C", versionEndIncluding: "11.3.0", versionStartIncluding: "11.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.2.0:*:*:*:*:*:*:*", matchCriteriaId: "AEDF91E2-E7B5-40EE-B71F-C7D59F4021BD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.2.4:*:*:*:*:*:*:*", matchCriteriaId: "9A94F93C-5828-4D78-9C48-20AC17E72B8E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*", matchCriteriaId: "F3E25293-CB03-44CE-A8ED-04B3A0487A6A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:*", matchCriteriaId: "E2B51896-E4DA-4FDA-979F-481FFB3E588A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:java_se:7u321:*:*:*:*:*:*:*", matchCriteriaId: "9F0BF15F-D4D2-4A88-BA15-79B624C4AC7D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:java_se:8u311:*:*:*:*:*:*:*", matchCriteriaId: "D63E2911-7DA8-41AC-AB7A-1AA29076F69F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:java_se:17.1:*:*:*:*:*:*:*", matchCriteriaId: "674AFFA3-E9BA-4AFD-9A73-2A4A9DE427E5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*", matchCriteriaId: "65D65139-BB80-4713-8E59-6CA1116DCC1D", versionEndExcluding: "9.2.6.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdk:11.0.13:*:*:*:*:*:*:*", matchCriteriaId: "A7F43D86-B696-41E4-A288-6A2D43A1774A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "A2E3E923-E2AD-400D-A618-26ADF7F841A2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "9AB58D27-37F2-4A32-B786-3490024290A1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", matchCriteriaId: "AC7290F2-AF21-49B9-B3EF-869B7DE1A2AC", versionEndExcluding: "7.4.34", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", matchCriteriaId: "00D3ECDE-287B-4336-898A-0DFEBE2AB6C3", versionEndExcluding: "7.5.24", versionStartIncluding: "7.5.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", matchCriteriaId: "105CBFD5-20DF-4BF0-9629-B87AF404E33D", versionEndExcluding: "7.6.20", versionStartIncluding: "7.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*", matchCriteriaId: "E248F8CE-5B39-457D-A47E-620858340840", versionEndExcluding: "8.0.27", versionStartIncluding: "8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_connectors:*:*:*:*:*:*:*:*", matchCriteriaId: "9CD3AAAD-5F6E-4A3C-9CFC-EC4866628ABD", versionEndExcluding: "8.0.27", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_connectors:8.0.27:*:*:*:*:*:*:*", matchCriteriaId: "9E1912FB-8ABF-4640-92E7-367A4923267C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", matchCriteriaId: "2C9E5736-6015-499E-A452-227DCFB87DA7", versionEndExcluding: "5.7.36", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", matchCriteriaId: "F2B0D740-75B1-4953-A99F-965F999FDC64", versionEndExcluding: "8.0.27", versionStartIncluding: "8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_server:5.7.36:*:*:*:*:*:*:*", matchCriteriaId: "A3F3390B-4081-473F-A5E0-B5E3A3888F04", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_workbench:*:*:*:*:*:*:*:*", matchCriteriaId: "3C56CECB-6B97-406C-8761-8B7F74CA7DEF", versionEndExcluding: "8.0.27", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*", matchCriteriaId: "7167D144-C4AE-487F-B59A-888E10EA59DF", versionEndExcluding: "21.1.12", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:*", matchCriteriaId: "71CB79ED-A93E-4CBD-BCDD-82C5A00B373B", versionEndExcluding: "2.12.42", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_cs_sa_integration_pack:9.0:*:*:*:*:*:*:*", matchCriteriaId: "E4859861-C2EC-489F-A3B7-ACF85C709C24", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_cs_sa_integration_pack:9.2:*:*:*:*:*:*:*", matchCriteriaId: "247C0D05-C76B-44BC-8750-C716FF980D70", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "E2CB2872-747C-47AC-8463-DD759BF105B6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "1DBC53C9-75EC-46F7-907D-63BB74864CD6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_people_tools:8.59:*:*:*:*:*:*:*", matchCriteriaId: "D370F2E3-EF8A-440C-8319-D52FA3431428", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", matchCriteriaId: "7E1E416B-920B-49A0-9523-382898C2979D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", matchCriteriaId: "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:*:*:*:*:*:*:*:*", matchCriteriaId: "F47057A9-2DDE-4178-B140-F7D70EAED8F6", versionEndIncluding: "12.2.24", versionStartIncluding: "12.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*", matchCriteriaId: "9D8B3B57-73D6-4402-987F-8AE723D52F94", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_analytics:18.8.3.3:*:*:*:*:*:*:*", matchCriteriaId: "FA9948AB-0CA6-4148-949C-E500466B45F5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_analytics:19.12.11.1:*:*:*:*:*:*:*", matchCriteriaId: "56D17905-5E69-4BD5-973B-30662AC3D678", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_analytics:20.12.12.0:*:*:*:*:*:*:*", matchCriteriaId: "70E72A74-F6A9-48EE-9279-3D9E53C2EC30", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_data_warehouse:18.8.3.3:*:*:*:*:*:*:*", matchCriteriaId: "F14C6AB5-CC45-4753-A60F-1F527B063127", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_data_warehouse:19.12.11.1:*:*:*:*:*:*:*", matchCriteriaId: "583BBDF1-DBE4-486D-ABF8-7D2B0408490A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_data_warehouse:20.12.12.0:*:*:*:*:*:*:*", matchCriteriaId: "C9810151-6F80-48FD-A51E-F063EB2B7324", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "8B1C88FD-C2EC-4C96-AC7E-6F95C8763B48", versionEndIncluding: "17.12.11", versionStartIncluding: "17.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "A621A5AE-6974-4BA5-B1AC-7130A46F68F5", versionEndIncluding: "18.8.13", versionStartIncluding: "18.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "4096281D-2EBA-490D-8180-3C9D05EB890A", versionEndIncluding: "19.12.12", versionStartIncluding: "19.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "E6B70E72-B9FC-4E49-8EDD-29C7E14F5792", versionEndIncluding: "20.12.7", versionStartIncluding: "20.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:21.12.0:*:*:*:*:*:*:*", matchCriteriaId: "15F45363-236B-4040-8AE4-C6C0E204EDBA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", matchCriteriaId: "DAB9BA0D-7149-4221-A5AE-D4664E11C86F", versionEndIncluding: "17.12.0.0-17.12.20.0", versionStartIncluding: "17.12.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", matchCriteriaId: "CFE4EAC8-A743-4658-AD72-088A5E747180", versionEndIncluding: "18.8.24.0", versionStartIncluding: "18.8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", matchCriteriaId: "AD0DEC50-F4CD-4ACA-A118-D4F0D4F4C981", versionEndIncluding: "19.12.18.0", versionStartIncluding: "19.12.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*", matchCriteriaId: "651104CE-0569-4E6D-ACAB-AD2AC85084DD", versionEndIncluding: "20.12.12.0", versionStartIncluding: "20.12.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:21.12.0.0:*:*:*:*:*:*:*", matchCriteriaId: "45D89239-9142-46BD-846D-76A5A74A67B1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*", matchCriteriaId: "E867F5E0-48A0-4D84-A0CA-A428FB2264D4", versionEndIncluding: "17.12.20.0", versionStartIncluding: "17.12.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*", matchCriteriaId: "05B3FCDE-7EF8-49CA-9C09-9033E5D7B91E", versionEndIncluding: "18.8.24.0", versionStartIncluding: "18.8.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*", matchCriteriaId: "05848067-59FF-4C90-A8BA-D1E4311B3A82", versionEndIncluding: "19.12.17.0", versionStartIncluding: "19.12.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_p6_professional_project_management:*:*:*:*:*:*:*:*", matchCriteriaId: "DC6AD8C8-96ED-4CFB-9953-99139FABCE35", versionEndIncluding: "20.12.9.0", versionStartIncluding: "20.12.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_portfolio_management:*:*:*:*:*:*:*:*", matchCriteriaId: "F67F218D-E827-482B-8417-483713F31D69", versionEndIncluding: "18.0.3.0", versionStartIncluding: "18.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_portfolio_management:*:*:*:*:*:*:*:*", matchCriteriaId: "0ADB354B-AD0D-4EFA-B7C6-71A35FA0AFF9", versionEndIncluding: "19.0.1.2", versionStartIncluding: "19.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_portfolio_management:20.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "53B3B01A-532C-45B7-9BFC-19AABF55644B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_portfolio_management:20.0.0.1:*:*:*:*:*:*:*", matchCriteriaId: "683ABA64-9F16-4C23-8AF3-BB0C19FED9B9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*", matchCriteriaId: "08FA59A8-6A62-4B33-8952-D6E658F8DAC9", versionEndIncluding: "17.12", versionStartIncluding: "17.7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", matchCriteriaId: "202AD518-2E9B-4062-B063-9858AE1F9CE2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*", matchCriteriaId: "10864586-270E-4ACF-BDCC-ECFCD299305F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*", matchCriteriaId: "38340E3C-C452-4370-86D4-355B6B4E0A06", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*", matchCriteriaId: "E9C55C69-E22E-4B80-9371-5CD821D79FE2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:rapid_planning:*:*:*:*:*:*:*:*", matchCriteriaId: "CE004F32-F4DA-45A8-AD11-8924C4F1076A", versionEndIncluding: "12.2.11", versionStartIncluding: "12.2.6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real-time_decision_server:3.2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "C914A8CA-352B-4B02-8A2F-D5A6EC04AF53", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CADD7026-EF85-40A5-8563-7A34C6941B1F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*", matchCriteriaId: "58F019E8-F68D-41B5-9480-0A81616F2E7C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:rest_data_services:21.2.4:*:*:*:-:*:*:*", matchCriteriaId: "12F5FDCF-EA13-44F1-B3D8-94310CD3841C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_allocation:14.1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "51E83F05-B691-4450-BCA9-32209AEC4F6A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_allocation:15.0.3.1:*:*:*:*:*:*:*", matchCriteriaId: "288235F9-2F9E-469A-BE14-9089D0782875", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_allocation:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "6672F9C1-DA04-47F1-B699-C171511ACE38", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_allocation:19.0.1:*:*:*:*:*:*:*", matchCriteriaId: "11E57939-A543-44F7-942A-88690E39EABA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_analytics:*:*:*:*:*:*:*:*", matchCriteriaId: "90D4D479-0294-4F31-B719-8544C8DC4554", versionEndIncluding: "16.0.2", versionStartIncluding: "16.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "48C9BD8E-7214-4B44-B549-6F11B3EA8A04", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", matchCriteriaId: "F0735989-13BD-40B3-B954-AC0529C5B53D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", matchCriteriaId: "58405263-E84C-4071-BB23-165D49034A00", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_insights:*:*:*:*:*:*:*:*", matchCriteriaId: "08DF20EA-D1A6-4437-90F6-C0C40273CE5B", versionEndIncluding: "16.0.2", versionStartIncluding: "16.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*", matchCriteriaId: "B92BB355-DB00-438E-84E5-8EC007009576", versionEndIncluding: "19.0", versionStartIncluding: "16.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_eftlink:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "F3796186-D3A7-4259-846B-165AD9CEB7F1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_eftlink:17.0.2:*:*:*:*:*:*:*", matchCriteriaId: "CEDA5540-692D-47DA-9F68-83158D9AE628", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_eftlink:18.0.1:*:*:*:*:*:*:*", matchCriteriaId: "C5435583-C454-4AC9-8A35-D2D30EB252EE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_eftlink:19.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A2140357-503A-4D2A-A099-CFA4DC649E41", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_eftlink:20.0.1:*:*:*:*:*:*:*", matchCriteriaId: "6BAE5686-8E11-4EF1-BC7E-5C565F2440C7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*", matchCriteriaId: "31FFE404-027E-4B59-B3EF-BD20E1F7EECC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "798E4FEE-9B2B-436E-A2B3-B8AA1079892A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*", matchCriteriaId: "CB86F6C3-981E-4ECA-A5EB-9A9CD73D70C9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "6B042849-7EF5-4A5F-B6CD-712C0B8735BF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*", matchCriteriaId: "7435071D-0C95-4686-A978-AFC4C9A0D0FE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_fiscal_management:14.2:*:*:*:*:*:*:*", matchCriteriaId: "A5F6FD19-A314-4A1F-96CB-6DB1CED79430", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:*:*:*:*:*:*:*:*", matchCriteriaId: "A921C710-1C59-429F-B985-67C0DBFD695E", versionEndIncluding: "16.0.3", versionStartIncluding: "16.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:13.0:*:*:*:*:*:*:*", matchCriteriaId: "40AABFD3-1D0D-4C6B-BA9A-9DA70241B51C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "4EEF867A-587A-45E1-B2F6-0B903903F0F9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "8CFCE558-9972-46A2-8539-C16044F1BAA9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*", matchCriteriaId: "A1194C4E-CF42-4B4D-BA9A-40FDD28F1D58", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:19.0.0:*:*:*:*:*:*:*", matchCriteriaId: "DFDF4CB0-4680-449A-8576-915721D59500", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*", matchCriteriaId: "BD311C33-A309-44D5-BBFB-539D72C7F8C4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:15.0.3:*:*:*:*:*:*:*", matchCriteriaId: "A0472632-4104-4397-B619-C4E86A748465", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "48E25E7C-F7E8-4739-8251-00ACD11C12FE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*", matchCriteriaId: "AE1BC44A-F0AF-41CD-9CEB-B07AB5ADAB38", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", matchCriteriaId: "38E74E68-7F19-4EF3-AC00-3C249EAAA39E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*", matchCriteriaId: "0783F0D1-8FAC-4BCA-A6F5-C5C60E86D56D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*", matchCriteriaId: "C7BD0D41-1BED-4C4F-95C8-8987C98908DA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_management_system:19.5:*:*:*:*:*:*:*", matchCriteriaId: "99B5DC78-1C24-4F2B-A254-D833FAF47013", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*", matchCriteriaId: "274999E6-18ED-46F0-8CF2-56374B3DF174", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3:*:*:*:*:*:*:*", matchCriteriaId: "6B1A4F12-3E64-41CF-B2B3-B6AB734B69E0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:14.1.3.46:*:*:*:*:*:*:*", matchCriteriaId: "9002379B-4FDA-44F3-98EB-0C9B6083E429", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*", matchCriteriaId: "24A3C819-5151-4543-A5C6-998C9387C8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3.115:*:*:*:*:*:*:*", matchCriteriaId: "476B038D-7F60-482D-87AD-B58BEA35558E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "4FB98961-8C99-4490-A6B8-9A5158784F5A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:16.0.3.240:*:*:*:*:*:*:*", matchCriteriaId: "AB86C644-7B79-4F87-A06D-C178E8C2B8B4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:13.2:*:*:*:*:*:*:*", matchCriteriaId: "C19C5CC9-544A-4E4D-8F0A-579BB5270F07", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:14.0.4:*:*:*:*:*:*:*", matchCriteriaId: "3E1A9B0C-735A-40B4-901C-663CF5162E96", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:14.1:*:*:*:*:*:*:*", matchCriteriaId: "5B956113-5B3B-436D-858B-8F29FB304364", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:14.1.3:*:*:*:*:*:*:*", matchCriteriaId: "E0DD7FAB-0E0F-4319-95BF-C90881CE2E7E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:15.0:*:*:*:*:*:*:*", matchCriteriaId: "7E8917F6-00E7-47EC-B86D-A3B11D5F0E0D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:15.0.3:*:*:*:*:*:*:*", matchCriteriaId: "DC456422-00B5-498E-A28E-EA834367D943", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*", matchCriteriaId: "EFC5F424-119D-4C66-8251-E735EEFBC0BA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "5C745606-0EF8-4E57-BFBC-C3FB39CB7E1A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", matchCriteriaId: "BDB925C6-2CBC-4D88-B9EA-F246F4F7A206", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*", matchCriteriaId: "0CE45891-A6A5-4699-90A6-6F49E60A7987", versionEndIncluding: "16.0.3", versionStartIncluding: "16.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "054F9E62-A6D6-4850-83AD-3628C74A4384", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*", matchCriteriaId: "E702EBED-DB39-4084-84B1-258BC5FE7545", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*", matchCriteriaId: "3F7956BF-D5B6-484B-999C-36B45CD8B75B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:19.0.0:*:*:*:*:*:*:*", matchCriteriaId: "0D14A54A-4B04-41DE-B731-844D8AC3BE23", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9DA6B655-A445-42E5-B6D9-70AB1C04774A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:*:*:*:*:*:*:*", matchCriteriaId: "74ACC94B-4A9F-451D-B639-6008A108BDDC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*", matchCriteriaId: "DEC41EB8-73B4-4BDF-9321-F34EC0BAF9E6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*", matchCriteriaId: "48EFC111-B01B-4C34-87E4-D6B2C40C0122", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*", matchCriteriaId: "073FEA23-E46A-4C73-9D29-95CFF4F5A59D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A69FB468-EAF3-4E67-95E7-DF92C281C1F1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:sd-wan_aware:8.2:*:*:*:*:*:*:*", matchCriteriaId: "667A06DE-E173-406F-94DA-1FE64BCFAE18", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:sd-wan_edge:9.0:*:*:*:*:*:*:*", matchCriteriaId: "77E39D5C-5EFA-4FEB-909E-0A92004F2563", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:sd-wan_edge:9.1:*:*:*:*:*:*:*", matchCriteriaId: "06816711-7C49-47B9-A9D7-FB18CC3F42F2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:secure_backup:18.1.0.1.0:*:*:*:*:*:*:*", matchCriteriaId: "E8929B61-16EC-4FE0-98A5-1CC7CC7FD9CC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:siebel_applications:*:*:*:*:*:*:*:*", matchCriteriaId: "6CA63BB4-27A9-4B26-B01C-1F527C7B9454", versionEndExcluding: "21.12", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:spatial_studio:21.2.1:*:*:*:*:*:*:*", matchCriteriaId: "D926BD38-E66E-41DA-9F65-40D68F8D8890", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:thesaurus_management_system:5.2.3:*:*:*:*:*:*:*", matchCriteriaId: "01E3B232-073E-433B-977A-1742B75109B7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:thesaurus_management_system:5.3.0:*:*:*:*:*:*:*", matchCriteriaId: "6F6FDC33-D57E-4C6A-B633-BFC587147037", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:thesaurus_management_system:5.3.1:*:*:*:*:*:*:*", matchCriteriaId: "F3B01572-9D32-44B2-8FCF-C282C887DB51", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*", matchCriteriaId: "513AE97F-161C-43D2-B2D1-653125A9E920", versionEndExcluding: "11.2.2.8.27", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*", matchCriteriaId: "34656ECE-15CB-495C-8573-7C98B383F15B", versionEndExcluding: "21.1.1.1.0", versionStartIncluding: "21.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*", matchCriteriaId: "51309958-121D-4649-AB9A-EBFA3A49F7CB", versionEndIncluding: "4.3.0.6.0", versionStartIncluding: "4.3.0.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*", matchCriteriaId: "5435B365-BFF3-4A9E-B45C-42D8F1E20FB7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*", matchCriteriaId: "1FAC3840-2CF8-44CE-81BB-EEEBDA00A34A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*", matchCriteriaId: "3F906F04-39E4-4BE4-8A73-9D058AAADB43", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*", matchCriteriaId: "7B393A82-476A-4270-A903-38ED4169E431", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*", matchCriteriaId: "85CAE52B-C2CA-4C6B-A0B7-2B9D6F0499E2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*", matchCriteriaId: "A3ED272C-A545-4F8C-86C0-2736B3F2DCAF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*", matchCriteriaId: "C5B4C338-11E1-4235-9D5A-960B2711AC39", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*", matchCriteriaId: "8C93F84E-9680-44EF-8656-D27440B51698", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:vm_virtualbox:*:*:*:*:*:*:*:*", matchCriteriaId: "91A2A4B0-88FC-41D1-8719-4FAABED19F8E", versionEndExcluding: "6.1.32", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "D6A4F71A-4269-40FC-8F61-1D1301F2B728", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "5A502118-5B2B-47AE-82EC-1999BD841103", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "C93CC705-1F8C-4870-99E6-14BF264C3811", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "F14A818F-AA16-4438-A3E4-E64C9287AC66", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "04BCDC24-4A21-473C-8733-0D9CFB38A752", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", matchCriteriaId: "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:zfs_storage_application_integration_engineering_software:1.3.3:*:*:*:*:*:*:*", matchCriteriaId: "CB85582D-0106-47F1-894F-0BC4FF0B5462", vulnerable: true, }, { criteria: "cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*", matchCriteriaId: "7569C0BD-16C1-441E-BAEB-840C94BE73EF", vulnerable: true, }, { criteria: "cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*", matchCriteriaId: "964B57CD-CB8A-4520-B358-1C93EC5EF2DC", vulnerable: true, }, { criteria: "cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*", matchCriteriaId: "8E8C192B-8044-4BF9-9F1F-57371FC0E8FD", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:oracle:fujitsu_m10-1_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "4DB505EC-A54C-4033-B3A6-24CEF87A855D", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:oracle:fujitsu_m10-1:-:*:*:*:*:*:*:*", matchCriteriaId: "0F63BFBA-A4D8-43D1-A13E-DEED6AEF596B", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:oracle:fujitsu_m10-4_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "D4A48DA6-C5A5-4B3D-B43B-31380223A55A", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:oracle:fujitsu_m10-4:-:*:*:*:*:*:*:*", matchCriteriaId: "D4BB5347-D09D-4FC5-9F1C-7F3E036C18AD", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:oracle:fujitsu_m10-4s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "BB27AABE-079B-4DF0-ABEF-0D3329685B1E", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:oracle:fujitsu_m10-4s:-:*:*:*:*:*:*:*", matchCriteriaId: "529D4274-F33B-47C7-A3FB-6F86096FD955", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:oracle:fujitsu_m12-1_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "6D2D622F-E345-4A4D-861F-6460DF56880C", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:oracle:fujitsu_m12-1:-:*:*:*:*:*:*:*", matchCriteriaId: "A534E662-66B7-448B-A763-6B043112C877", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:oracle:fujitsu_m12-2_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "FCBEE0C8-CC99-4A25-9342-208D4DB91AAD", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:oracle:fujitsu_m12-2:-:*:*:*:*:*:*:*", matchCriteriaId: "95541D18-5C33-49E9-924D-0B21162EC2C4", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:oracle:fujitsu_m12-2s_firmware:-:*:*:*:*:*:*:*", matchCriteriaId: "CE5C60CD-F890-4E3F-A2C3-9153591E7647", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:oracle:fujitsu_m12-2s:-:*:*:*:*:*:*:*", matchCriteriaId: "22FD4F61-0A4F-4C74-A852-B1CD3639E1D8", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.", }, { lang: "es", value: "Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. Esta vulnerabilidad puede resultar en un ataque de tipo XSS.", }, ], id: "CVE-2019-10219", lastModified: "2024-11-21T04:18:40.947", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "secalert@redhat.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-11-08T15:15:11.157", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0159", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0160", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0161", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0164", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0024/", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0159", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0160", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0161", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0164", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba09114897d%40%3Cnotifications.accumulo.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r87b7e2d22982b4ca9f88f5f4f22a19b394d2662415b233582ed22ebf%40%3Cnotifications.accumulo.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb8dca19a4e52b60dab0ab21e2ff9968d78f4b84e4033824db1dd24b4%40%3Cpluto-scm.portals.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd418deda6f0ebe658c2015f43a14d03acb8b8c2c093c5bf6b880cd7c%40%3Cpluto-dev.portals.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf9c17c3efc4a376a96e9e2777eee6acf0bec28e2200e4b35da62de4a%40%3Cpluto-dev.portals.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0024/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2020-11-02 21:15
Modified
2024-11-21 05:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20201123-0006/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20201123-0006/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | wildfly | * | |
| redhat | fuse | 6.0.0 | |
| redhat | jboss_data_grid | 7.0.0 | |
| redhat | jboss_enterprise_application_platform | 7.0.0 | |
| redhat | jboss_fuse | 7.0.0 | |
| redhat | openshift_application_runtimes | - | |
| redhat | single_sign-on | 7.0 | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | oncommand_insight | - | |
| netapp | service_level_manager | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*", matchCriteriaId: "03BD2B88-A2AB-479B-8AE9-EB044A920A43", versionEndIncluding: "21.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:6.0.0:*:*:*:*:*:*:*", matchCriteriaId: "FD89A07A-0277-43E8-9363-F77A43C89406", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*", matchCriteriaId: "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*", matchCriteriaId: "72A54BDA-311C-413B-8E4D-388AD65A170A", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B40CCE4F-EA2C-453D-BB76-6388767E5C6D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", matchCriteriaId: "A33441B3-B301-426C-A976-08CE5FE72EFB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", matchCriteriaId: "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*", matchCriteriaId: "7081652A-D28B-494E-94EF-CA88117F23EE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.", }, { lang: "es", value: "Se encontró una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el controlador de host intenta reconectarse en un bucle, generando nuevas conexiones que no son cerradas apropiadamente mientras no es capaz de conectar al controlador de dominio. Este fallo permite a un atacante causar un problema de Falta de Memoria (OOM), conllevando a una denegación de servicio. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema", }, ], id: "CVE-2020-25689", lastModified: "2024-11-21T05:18:28.603", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "COMPLETE", baseScore: 6.8, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:N/I:N/A:C", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 3.6, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-11-02T21:15:27.647", references: [ { source: "secalert@redhat.com", tags: [ "Exploit", "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20201123-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20201123-0006/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-401", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-401", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2016-06-07 14:06
Modified
2025-04-12 10:46
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
References
Impacted products
{ cisaActionDue: "2022-05-03", cisaExploitAdd: "2021-11-03", cisaRequiredAction: "Apply updates per vendor instructions.", cisaVulnerabilityName: "Apache Shiro Code Execution Vulnerability", configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:aurora:*:*:*:*:*:*:*:*", matchCriteriaId: "5E4E49B7-6247-4353-A80D-ADE138DD0967", versionEndExcluding: "0.18.1", versionStartIncluding: "0.10.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:shiro:*:*:*:*:*:*:*:*", matchCriteriaId: "2BF5BF73-85B5-4422-B100-EE22B38F574A", versionEndExcluding: "1.2.5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:1.0:*:*:*:*:middleware:*:*", matchCriteriaId: "A0FED4EE-0AE2-4BD8-8DAC-143382E4DB7C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", }, { lang: "es", value: "Apache Shiro en versiones anteriores a 1.2.5, cuando una clave de cifrado no ha sido configurada por la característica \"remember me\", permite a atacantes remotos ejecutar código arbitrario o eludir las restricciones destinadas al acceso a través de un parámetro request no especificado.", }, ], id: "CVE-2016-4437", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2016-06-07T14:06:13.247", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { source: "secalert@redhat.com", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/91024", }, { source: "secalert@redhat.com", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2035.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2036.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/archive/1/538570/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/91024", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-321", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2018-04-06 13:29
Modified
2024-11-21 03:59
Severity ?
Summary
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", matchCriteriaId: "EAB91230-5337-4373-BEB1-A84CF1CB2019", versionEndExcluding: "4.3.16", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", matchCriteriaId: "8D2CC334-AFF8-41D4-9FBD-88C8FF9DA406", versionEndExcluding: "5.0.5", versionStartIncluding: "5.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", matchCriteriaId: "17EA8B91-7634-4636-B647-1049BA7CA088", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "5B4DF46F-DBCC-41F2-A260-F83A14838F23", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "10F17843-32EA-4C31-B65C-F424447BEF7B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A125E817-F974-4509-872C-B71933F42AD1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*", matchCriteriaId: "00280604-1DC1-4974-BF73-216C5D76FFA3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*", matchCriteriaId: "EC361999-AAD8-4CB3-B00E-E3990C3529B4", versionEndExcluding: "7.0.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", matchCriteriaId: "CF5A0F0D-313D-4F5C-AD6D-8C118D5CD8D8", versionEndExcluding: "8.3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*", matchCriteriaId: "468931C8-C76A-4E47-BF00-185D85F719C5", versionEndExcluding: "10.2.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", matchCriteriaId: "97C1FA4C-5163-420C-A01A-EA36F1039BBB", versionEndExcluding: "6.1.0.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*", matchCriteriaId: "BE12B6A4-E128-41EC-8017-558F50B961BE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", matchCriteriaId: "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "1C4A89F2-713D-4A36-9D28-22748D30E0FD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "CDFABB2C-2FA2-4F83-985B-7FCEAF274418", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "6A609003-8687-40B4-8AC3-06A1534ADE30", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*", matchCriteriaId: "9027528A-4FE7-4E3C-B2DF-CCCED22128F5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*", matchCriteriaId: "2A699D02-296B-411E-9658-5893240605D6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*", matchCriteriaId: "7036576C-2B1F-413D-B154-2DBF9BFDE7E3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*", matchCriteriaId: "CEE4B2F0-1AAB-4A1F-AE86-A568D43891B3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*", matchCriteriaId: "641D134E-6C51-4DB8-8554-F6B5222EF479", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*", matchCriteriaId: "C79B50C2-27C2-4A9C-ACEE-B70015283F58", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*", matchCriteriaId: "DB6321F8-7A0A-4DB8-9889-3527023C652A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*", matchCriteriaId: "25F8E604-8180-4728-AD2D-7FF034E3E65A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*", matchCriteriaId: "02867DC7-E669-43C0-ACC4-E1CAA8B9994C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FBAFA631-C92B-4FF7-8E65-07C67789EBCD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*", matchCriteriaId: "9652104A-119D-4327-A937-8BED23C23861", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*", matchCriteriaId: "6CBFA960-D242-43ED-8D4C-A60F01B70740", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*", matchCriteriaId: "0513B305-97EF-4609-A82E-D0CDFF9925BA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*", matchCriteriaId: "61A7F6E0-A4A4-4FC3-90CB-156933CB3B9A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*", matchCriteriaId: "31C7EEA3-AA72-48DA-A112-2923DBB37773", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", matchCriteriaId: "F0735989-13BD-40B3-B954-AC0529C5B53D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*", matchCriteriaId: "83B5F416-56AE-4DC5-BCFF-49702463E716", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", matchCriteriaId: "58405263-E84C-4071-BB23-165D49034A00", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*", matchCriteriaId: "AD4AB77A-E829-4603-AF6A-97B9CD0D687F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*", matchCriteriaId: "6DE15D64-6F49-4F43-8079-0C7827384C86", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.0.1:*:*:*:*:*:*:*", matchCriteriaId: "22847CAE-3C2C-4C2E-9D2E-47DB4091442E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.0.2:*:*:*:*:*:*:*", matchCriteriaId: "B4D5A9AB-3DE0-4496-82E5-A2DB5CFDAA9F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.0.3:*:*:*:*:*:*:*", matchCriteriaId: "1E484D25-1753-42A1-9658-8E9CCE8E3568", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.0.4:*:*:*:*:*:*:*", matchCriteriaId: "9FEAFF40-B0C7-4B05-A655-B3F93055FBCF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.1.1:*:*:*:*:*:*:*", matchCriteriaId: "BBF4C859-616D-44F9-BE76-589A4E6E8BF5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*", matchCriteriaId: "20357086-0C32-44B5-A1FA-79283E88FB47", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.1.3:*:*:*:*:*:*:*", matchCriteriaId: "F1AFAE16-B69F-410A-8CE3-1CDD998A8433", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:15.0.0.1:*:*:*:*:*:*:*", matchCriteriaId: "D8CE753D-A090-47DE-8EF0-8FDE07576E80", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:15.0.1:*:*:*:*:*:*:*", matchCriteriaId: "7BAFB538-A395-4C4D-83F7-CD453C0DFB4D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:15.0.2:*:*:*:*:*:*:*", matchCriteriaId: "7C0CA26F-41D3-433F-9C17-1A4F5066F184", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*", matchCriteriaId: "F73E2EFA-0F43-4D92-8C7D-9E66811B76D6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:16.0.1:*:*:*:*:*:*:*", matchCriteriaId: "B27C4D75-3927-4D07-BE16-4204F641A453", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:16.0.2:*:*:*:*:*:*:*", matchCriteriaId: "B0A6CF77-09DF-43FD-833A-8DAAE016717A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*", matchCriteriaId: "07630491-0624-4C5C-A858-C5D3CDCD1B68", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*", matchCriteriaId: "EC9CA11F-F718-43E5-ADB9-6C348C75E37A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9FBAAD32-1E9D-47F1-9F47-76FEA47EF54F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*", matchCriteriaId: "EAA4DF85-9225-4422-BF10-D7DAE7DCE007", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*", matchCriteriaId: "77C2A2A4-285B-40A1-B9AD-42219D742DD4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", matchCriteriaId: "EE8CF045-09BB-4069-BCEC-496D5AE3B780", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", matchCriteriaId: "38E74E68-7F19-4EF3-AC00-3C249EAAA39E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_point-of-sale:14.0:*:*:*:*:*:*:*", matchCriteriaId: "632E9828-907F-4F2C-81D5-A74A6DDA2748", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_point-of-sale:14.1:*:*:*:*:*:*:*", matchCriteriaId: "274999E6-18ED-46F0-8CF2-56374B3DF174", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:14.0:*:*:*:*:*:*:*", matchCriteriaId: "BD3C8E59-B07D-4C5E-B467-2FA6C1DFDA5B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:14.1:*:*:*:*:*:*:*", matchCriteriaId: "F6DA82ED-20FF-4E6D-ACA0-C65F51F4F5C0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:15.0:*:*:*:*:*:*:*", matchCriteriaId: "6FFEA075-11EB-4E99-92A1-8B2883C64CC0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*", matchCriteriaId: "21973CDD-D16E-4321-9F8E-67F4264D7C21", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*", matchCriteriaId: "959316A8-C3AF-4126-A242-3835ED0AD1E8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", matchCriteriaId: "BDB925C6-2CBC-4D88-B9EA-F246F4F7A206", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*", matchCriteriaId: "A0ED83E3-E6BF-4EAA-AF8F-33485A88A218", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "909A7F73-0164-471B-8EBD-1F70072E9809", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "2CE08DC9-5153-48D6-B23C-68A632FF8FF5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*", matchCriteriaId: "70D4467D-6968-4557-AF61-AFD42B2B48D3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "0F31D7E8-D31D-4268-9ABF-3733915AA226", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.", }, { lang: "es", value: "Spring Framework, en versiones 5.0 anteriores a la 5.0.5 y versiones 4.3 anteriores a la 4.3.15, así como versiones más antiguas no soportadas, permite que las aplicaciones expongan STOMP en endpoints WebSocket con un simple agente STOMP en memoria a través del módulo spring-messaging. Un usuario (o atacante) malicioso puede manipular un mensaje al agente que desemboca en un ataque de ejecución remota de código.", }, ], id: "CVE-2018-1270", lastModified: "2024-11-21T03:59:30.477", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-04-06T13:29:00.453", references: [ { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "security_alert@emc.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/103696", }, { source: "security_alert@emc.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { source: "security_alert@emc.com", url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E", }, { source: "security_alert@emc.com", url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E", }, { source: "security_alert@emc.com", url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E", }, { source: "security_alert@emc.com", url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { source: "security_alert@emc.com", url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { source: "security_alert@emc.com", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", }, { source: "security_alert@emc.com", tags: [ "Vendor Advisory", ], url: "https://pivotal.io/security/cve-2018-1270", }, { source: "security_alert@emc.com", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "https://www.exploit-db.com/exploits/44796/", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/103696", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pivotal.io/security/cve-2018-1270", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "https://www.exploit-db.com/exploits/44796/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, ], sourceIdentifier: "security_alert@emc.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-94", }, ], source: "security_alert@emc.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-358", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2017-10-04 01:29
Modified
2025-04-20 01:37
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
References
Impacted products
{ cisaActionDue: "2022-04-15", cisaExploitAdd: "2022-03-25", cisaRequiredAction: "Apply updates per vendor instructions.", cisaVulnerabilityName: "Apache Tomcat Remote Code Execution Vulnerability", configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", matchCriteriaId: "A7286E06-DA84-401D-8FB8-DEEF6A171C88", versionEndExcluding: "7.0.82", versionStartIncluding: "7.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", matchCriteriaId: "2C385FE9-F78C-49BC-AE87-5FE1A9BD7ED3", versionEndExcluding: "8.0.47", versionStartIncluding: "8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", matchCriteriaId: "EF72650E-5826-4ABB-9B7D-43C96DB3B9B7", versionEndExcluding: "8.5.23", versionStartIncluding: "8.5.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", matchCriteriaId: "817D7E47-947E-4A2F-A8AB-1302D5DF6684", versionEndExcluding: "9.0.1", versionStartIncluding: "9.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", matchCriteriaId: "8D305F7A-D159-4716-AB26-5E38BB5CD991", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", matchCriteriaId: "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", matchCriteriaId: "9070C9D8-A14A-467F-8253-33B966C16886", vulnerable: true, }, { criteria: "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:esm:*:*:*", matchCriteriaId: "B3293E55-5506-4587-A318-D1734F781C09", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", matchCriteriaId: "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CCF62B0C-A8BD-40E6-9E4E-E684F4E87ACD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", matchCriteriaId: "ED43772F-D280-42F6-A292-7198284D6FE7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:*:*:*:*:*:*:*", matchCriteriaId: "622B95F1-8FA4-4AA6-9B68-5FE4302BA150", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "8B65CD29-C729-42AC-925E-014BA19581E2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "7E856B4A-6AE7-4317-921A-35B4D2048652", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:12.1.0.4.0:*:*:*:*:*:*:*", matchCriteriaId: "815E0C5E-00DF-4AD2-AE97-A752B3DC1631", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "4C3CFCCE-A8D4-4B78-9C37-88238580B5DA", versionEndIncluding: "7.3.5.3.0", versionStartIncluding: "7.3.3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "9380A86A-7A58-477F-A697-B6692E18B4B9", versionEndIncluding: "8.0.9.0.0", versionStartIncluding: "8.0.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:fmw_platform:12.2.1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "657387A7-DFD9-4CDC-968A-3F3970FDE224", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "9C5E9A12-BFE9-4963-A360-A34168A6BF6A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.1:*:*:*:*:*:*:*", matchCriteriaId: "26CD44C0-F9DD-46F0-A4C1-2C2639217B4D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", matchCriteriaId: "1A3DC116-2844-47A1-BEC2-D0675DD97148", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", matchCriteriaId: "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*", matchCriteriaId: "82EA4BA7-C38B-4AF3-8914-9E3D089EBDD4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*", matchCriteriaId: "B9C9BC66-FA5F-4774-9BDA-7AB88E2839C4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:management_pack:11.2.1.0.13:*:*:*:*:goldengate:*:*", matchCriteriaId: "5EB9E1EA-E136-4B09-9BBB-D7D48D993349", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "98EE20FD-3D21-4E23-95B8-7BD13816EB95", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.0.1:*:*:*:*:*:*:*", matchCriteriaId: "78933DD0-F774-4E60-BC66-D5A57919717A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.5.0:*:*:*:*:*:*:*", matchCriteriaId: "8ECA7A7E-8177-4FD4-B9B9-F4B1B6F43F98", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.6.0:*:*:*:*:*:*:*", matchCriteriaId: "73C9A2AD-F384-44D5-AB33-86B7250760A5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.7.0:*:*:*:*:*:*:*", matchCriteriaId: "EEB4EB87-5ABB-437D-BDAC-FB64F33929FA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.0:*:*:*:*:*:*:*", matchCriteriaId: "FA3F5761-E2A0-4F67-BAE1-503877676BF3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.1:*:*:*:*:*:*:*", matchCriteriaId: "C1E3C86B-4483-430A-856D-7EAB7D388D2E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "FF9C223C-BC90-4253-A009-53DEDEE9C1CC", versionEndIncluding: "3.3.6.3293", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "52886BA2-204E-4F0E-B22F-CE5FDFCC98B5", versionEndIncluding: "3.4.4.4226", versionStartIncluding: "3.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "6470AB3F-ADE2-4BA2-A6B9-E094C927CC77", versionEndIncluding: "4.0.0.5135", versionStartIncluding: "4.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_advanced_inventory_planning:13.2:*:*:*:*:*:*:*", matchCriteriaId: "D8193A06-3F6B-4F5A-AA58-B1B0AB3A87A3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_advanced_inventory_planning:13.4:*:*:*:*:*:*:*", matchCriteriaId: "FE65A212-7385-4973-A9C8-FB9C2F9F745F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*", matchCriteriaId: "56239DBD-E294-44A4-9DD3-CEEC58C1BC0C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*", matchCriteriaId: "517E0654-F1DE-43C4-90B5-FB90CA31734B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_back_office:14.0.4:*:*:*:*:*:*:*", matchCriteriaId: "FB363B97-8D71-4FC5-AF88-B6A0040E3D04", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_back_office:14.1.3:*:*:*:*:*:*:*", matchCriteriaId: "92978070-A3FD-45E7-8A19-C6324116416B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_central_office:14.0.4:*:*:*:*:*:*:*", matchCriteriaId: "74D44D74-4402-4569-B335-AFB5F80424ED", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_central_office:14.1.3:*:*:*:*:*:*:*", matchCriteriaId: "5ABB11E1-AD2A-47AA-A5AA-49D94B50CEC3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.1.132:*:*:*:*:*:*:*", matchCriteriaId: "DA5B8931-D3B4-46A9-B1A0-9A6BBA365FC8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_eftlink:1.1.124:*:*:*:*:*:*:*", matchCriteriaId: "BD00C4A5-D05A-4C64-A50C-B8CE182FFB5E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_eftlink:15.0.1:*:*:*:*:*:*:*", matchCriteriaId: "25AC9F0D-4476-41AC-A7AB-5DE52135D8D7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_eftlink:16.0.2:*:*:*:*:*:*:*", matchCriteriaId: "A4DF6FE2-35CB-43AB-95F4-40C909DEC69F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_insights:14.0:*:*:*:*:*:*:*", matchCriteriaId: "5DCCBA87-C934-4B94-A5F2-B459FF9CBEC6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_insights:14.1:*:*:*:*:*:*:*", matchCriteriaId: "1D962EF0-D6E1-4B1F-9F50-0E30C3B5CF4A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_insights:15.0:*:*:*:*:*:*:*", matchCriteriaId: "9B3935CB-58D4-49A4-B3D4-D0DA0CD12F38", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_insights:16.0:*:*:*:*:*:*:*", matchCriteriaId: "269BCEDB-57A1-4611-A009-29791E0EF9A4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:12.0:*:*:*:*:*:*:*", matchCriteriaId: "51D1FAEE-65FD-47EB-9F4D-505C72000F3A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:13.0:*:*:*:*:*:*:*", matchCriteriaId: "4C45FF05-FB76-4782-891E-F4A8A4871A22", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:13.1:*:*:*:*:*:*:*", matchCriteriaId: "5C03ED7B-3826-4D6D-89C5-61DE12E27213", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:13.2:*:*:*:*:*:*:*", matchCriteriaId: "8893CB1D-F18C-404D-BC06-CA2617BFAE58", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:14.0:*:*:*:*:*:*:*", matchCriteriaId: "42227DD8-6671-4B38-9E42-4ACF78F09C97", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:14.1:*:*:*:*:*:*:*", matchCriteriaId: "69962BD9-A102-4621-9461-018E87261657", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*", matchCriteriaId: "788F2530-F011-4489-8029-B3468BAF7787", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_invoice_matching:16.0:*:*:*:*:*:*:*", matchCriteriaId: "7D939BB4-9D34-43A4-A19C-1CC90DB748FD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:5.0:*:*:*:*:*:*:*", matchCriteriaId: "C4E864D4-96C0-4FD5-993F-7E2472893FF6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*", matchCriteriaId: "EAA4DF85-9225-4422-BF10-D7DAE7DCE007", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*", matchCriteriaId: "77C2A2A4-285B-40A1-B9AD-42219D742DD4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", matchCriteriaId: "EE8CF045-09BB-4069-BCEC-496D5AE3B780", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*", matchCriteriaId: "38E74E68-7F19-4EF3-AC00-3C249EAAA39E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_management_system:4.0:*:*:*:*:*:*:*", matchCriteriaId: "01FFED25-C781-45CA-8F3B-7A75D5F1E126", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_management_system:4.5:*:*:*:*:*:*:*", matchCriteriaId: "DA5092E0-0F34-4330-BE16-B0D5FF4C91E4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_management_system:4.7:*:*:*:*:*:*:*", matchCriteriaId: "BBBC99BE-E550-482C-B759-6032E6593D09", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_management_system:5.0:*:*:*:*:*:*:*", matchCriteriaId: "66CAA1FF-02B0-4479-8349-DEB19208A21C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_point-of-service:14.0.4:*:*:*:*:*:*:*", matchCriteriaId: "5C47CC5A-5A12-4058-9F60-A50E2D2040BE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_point-of-service:14.1.3:*:*:*:*:*:*:*", matchCriteriaId: "A1CE1F19-1F07-4CBB-9930-F47394ED8054", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:12.0:*:*:*:*:*:*:*", matchCriteriaId: "FABD1A02-06F9-48A7-A22D-10DCD24938E7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:13.0:*:*:*:*:*:*:*", matchCriteriaId: "06992F7E-3BCA-4489-AD12-534C50CE6E6D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:13.1:*:*:*:*:*:*:*", matchCriteriaId: "F6D3F48B-E5F3-4412-815A-6C1E23E98674", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:13.2:*:*:*:*:*:*:*", matchCriteriaId: "C19C5CC9-544A-4E4D-8F0A-579BB5270F07", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:14.0:*:*:*:*:*:*:*", matchCriteriaId: "891E192D-BA12-4D89-8D18-C93D2F26A369", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:14.1:*:*:*:*:*:*:*", matchCriteriaId: "5B956113-5B3B-436D-858B-8F29FB304364", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:15.0:*:*:*:*:*:*:*", matchCriteriaId: "7E8917F6-00E7-47EC-B86D-A3B11D5F0E0D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*", matchCriteriaId: "EFC5F424-119D-4C66-8251-E735EEFBC0BA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:2.3.8:*:*:*:*:*:*:*", matchCriteriaId: "4B31A871-77CF-455F-A28A-FBCE595D51DB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:2.4.9:*:*:*:*:*:*:*", matchCriteriaId: "892B1AB5-B0DC-4E57-B22F-0196A9F22CE7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:14.0.4:*:*:*:*:*:*:*", matchCriteriaId: "0E9002D8-133F-4AB2-8475-4B0A464D0021", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:14.1.3:*:*:*:*:*:*:*", matchCriteriaId: "B529695B-B859-4A1B-9873-6C870201879F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_store_inventory_management:12.0.12:*:*:*:*:*:*:*", matchCriteriaId: "F26748F3-1952-43B2-8847-264257ECBF10", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_store_inventory_management:13.0.7:*:*:*:*:*:*:*", matchCriteriaId: "142391D3-E38C-4F0E-9BB1-034DC28FAF75", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_store_inventory_management:13.1.9:*:*:*:*:*:*:*", matchCriteriaId: "555925C7-3345-48F8-9FD9-0E6C1E83E960", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_store_inventory_management:13.2.9:*:*:*:*:*:*:*", matchCriteriaId: "0953CAB4-B627-419D-9B8A-7C776A4FC18F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4:*:*:*:*:*:*:*", matchCriteriaId: "0E703304-0752-46F2-998B-A3D37C9E7A54", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3:*:*:*:*:*:*:*", matchCriteriaId: "722969B5-36CD-4413-954B-347BB7E51FAE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_store_inventory_management:15.0.2:*:*:*:*:*:*:*", matchCriteriaId: "C5BE74EA-FC65-4A23-B5AA-1FC97390ADAB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_store_inventory_management:16.0.1:*:*:*:*:*:*:*", matchCriteriaId: "8AAFAA67-42E9-4B4E-9DC7-A38275FD45CB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:6.0.11:*:*:*:*:*:*:*", matchCriteriaId: "B7A0E714-AC23-49B5-A36C-D10FA4699561", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0.6:*:*:*:*:*:*:*", matchCriteriaId: "89B3354D-3929-4AEC-AAE0-7F573341FD6C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1.6:*:*:*:*:*:*:*", matchCriteriaId: "55901EF7-B71C-40B3-B276-FDA6381F051F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.1:*:*:*:*:*:*:*", matchCriteriaId: "385D40CC-5AA0-4DAB-A2E7-F3A3CFF95BA7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:transportation_management:6.3.1:*:*:*:*:*:*:*", matchCriteriaId: "E7A714FB-050A-4040-BC57-C22FA4DD58D2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:transportation_management:6.3.2:*:*:*:*:*:*:*", matchCriteriaId: "A775321B-6DFB-4770-8F6D-D34D655438AF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:transportation_management:6.3.3:*:*:*:*:*:*:*", matchCriteriaId: "835BB7D9-633C-4CB3-8E8F-CA6FD62E587A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:transportation_management:6.3.4:*:*:*:*:*:*:*", matchCriteriaId: "48FE41BA-1E3C-4626-930F-3F8FEE124A78", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:transportation_management:6.3.5:*:*:*:*:*:*:*", matchCriteriaId: "40F284EF-05CF-4CF5-B7CA-F58AE01DA3B6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:transportation_management:6.3.6:*:*:*:*:*:*:*", matchCriteriaId: "C09892E8-D580-488A-A80E-B358D682A25A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*", matchCriteriaId: "A58642E0-CA59-4DE6-A83C-F551FC621C32", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:tuxedo_system_and_applications_monitor:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "D7072B3F-88AE-4432-879B-9D8208C67C74", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*", matchCriteriaId: "1BB4709C-6373-43CC-918C-876A6569865A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "AD848FE1-CFD7-490C-B008-DF3B30F3256F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "16F59A04-14CF-49E2-9973-645477EA09DA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*", matchCriteriaId: "BD075607-09B7-493E-8611-66D041FFDA62", versionStartIncluding: "7.3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "0CB28AF5-5AF0-4475-A7B6-12E1795FFDCB", versionStartIncluding: "9.5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*", matchCriteriaId: "7DCBCC5D-C396-47A8-ADF4-D3A2C4377FB1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*", matchCriteriaId: "3BD81527-A341-42C3-9AB9-880D3DB04B08", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, { criteria: "cpe:2.3:o:netapp:element:-:*:*:*:*:vcenter_server:*:*", matchCriteriaId: "5E1DE4F5-9094-4C73-AA1B-5C902F38DD24", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B142ACCC-F7A9-4A3B-BE60-0D6691D5058D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*", matchCriteriaId: "B1ABA871-3271-48E2-A69C-5AD70AF94E53", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "681173DF-537E-4A64-8FC7-75F439CCAD0D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "8E2F2F98-DB90-43F6-8F28-3656207B6188", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:*:*:*:*:*:*:*", matchCriteriaId: "08E5BFFC-F3E0-43E6-BA40-81B2A8B7CC01", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", matchCriteriaId: "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", matchCriteriaId: "33C068A4-3780-4EAB-A937-6082DF847564", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*", matchCriteriaId: "F96E3779-F56A-45FF-BB3D-4980527D721E", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*", matchCriteriaId: "0CF73560-2F5B-4723-A8A1-9AADBB3ADA00", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "5BF3C7A5-9117-42C7-BEA1-4AA378A582EF", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*", matchCriteriaId: "83737173-E12E-4641-BC49-0BD84A6B29D0", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*", matchCriteriaId: "46DD0CA2-3786-4E97-A60C-5043FDDBCB86", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*", matchCriteriaId: "55E4609A-C986-4041-A528-1B4B37E1F6F6", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*", matchCriteriaId: "92BDD126-A468-47D9-A468-6E229D75939D", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*", matchCriteriaId: "6DAA8C42-870A-42B4-AE9F-7C67F4122ED3", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0_s390x:*:*:*:*:*:*:*", matchCriteriaId: "C84EAAE7-0249-4EA1-B8D3-E039B03ACDC3", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*", matchCriteriaId: "2148300C-ECBD-4ED5-A164-79629859DD43", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*", matchCriteriaId: "B908AEF5-67CE-42D4-961D-C0E7ADB78ADD", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*", matchCriteriaId: "0F8EB695-5EA3-46D2-941E-D7F01AB99A48", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*", matchCriteriaId: "1E1DB003-76B8-4D7B-A6ED-5064C3AE1C11", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*", matchCriteriaId: "FFC68D88-3CD3-4A3D-A01B-E9DBACD9B9CB", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0_ppc64:*:*:*:*:*:*:*", matchCriteriaId: "6D8D654F-2442-4EA0-AF89-6AC2CD214772", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*", matchCriteriaId: "8BCF87FD-9358-42A5-9917-25DF0180A5A6", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*", matchCriteriaId: "9B8B2E32-B838-4E51-BAA2-764089D2A684", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*", matchCriteriaId: "4319B943-7B19-468D-A160-5895F7F997A3", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*", matchCriteriaId: "39C1ABF5-4070-4AA7-BAB8-4F63E1BD91FF", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*", matchCriteriaId: "8036E2AE-4E44-4FA5-AFFB-A3724BFDD654", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:*:*:*:*:*:*:*", matchCriteriaId: "B4A684C7-88FD-43C4-9BDB-AE337FCBD0AB", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*", matchCriteriaId: "E9A24D0C-604D-4421-AFA6-5D541DA2E94D", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*", matchCriteriaId: "3A2E3637-B6A6-4DA9-8B0A-E91F22130A45", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*", matchCriteriaId: "F81F859C-DA89-4D1E-91D3-A000AD646203", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*", matchCriteriaId: "418488A5-2912-406C-9337-B8E85D0C2B57", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", matchCriteriaId: "9BBCD86A-E6C7-4444-9D74-F861084090F0", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", matchCriteriaId: "51EF4996-72F4-4FA4-814F-F5991E7A8318", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", matchCriteriaId: "D99A687E-EAE6-417E-A88E-D0082BC194CD", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "B353CE99-D57C-465B-AAB0-73EF581127D1", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*", matchCriteriaId: "7431ABC1-9252-419E-8CC1-311B41360078", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", matchCriteriaId: "D5F7E11E-FB34-4467-8919-2B6BEAABF665", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*", matchCriteriaId: "17F256A9-D3B9-4C72-B013-4EFD878BFEA8", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", matchCriteriaId: "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "825ECE2D-E232-46E0-A047-074B34DB1E97", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.", }, { lang: "es", value: "Al ejecutar Apache Tomcat desde la versión 9.0.0.M1 hasta la 9.0.0, desde la 8.5.0 hasta la 8.5.22, desde la 8.0.0.RC1 hasta la 8.0.46 y desde la 7.0.0 hasta la 7.0.81 con los HTTP PUT habilitados (por ejemplo, configurando el parámetro de inicialización de solo lectura del servlet Default a \"false\"), es posible subir un archivo JSP al servidor mediante una petición especialmente manipulada. Este JSP se puede después solicitar y cualquier código que contenga se ejecutaría por el servidor.", }, ], id: "CVE-2017-12617", lastModified: "2025-04-20T01:37:25.860", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2017-10-04T01:29:02.120", references: [ { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100954", }, { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1039552", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3080", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3081", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3113", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3114", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0268", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0269", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0270", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0271", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0275", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0465", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0466", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Issue Tracking", "Mailing List", ], url: "https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20171018-0002/", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://support.f5.com/csp/article/K53173544", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3665-1/", }, { source: "security@apache.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://www.exploit-db.com/exploits/42966/", }, { source: "security@apache.org", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://www.exploit-db.com/exploits/43008/", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/100954", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1039552", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3080", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3081", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3113", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3114", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0268", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0269", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0270", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0271", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0275", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0465", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:0466", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2939", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Mailing List", ], url: "https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20171018-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.f5.com/csp/article/K53173544", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://usn.ubuntu.com/3665-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://www.exploit-db.com/exploits/42966/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "https://www.exploit-db.com/exploits/43008/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-434", }, ], source: "nvd@nist.gov", type: "Primary", }, { description: [ { lang: "en", value: "CWE-434", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2018-05-11 20:29
Modified
2024-11-21 03:59
Severity ?
Summary
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*", matchCriteriaId: "82F4C00B-9F3D-46D2-B10A-204BD055BA5F", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:5.0.5:*:*:*:*:*:*:*", matchCriteriaId: "1733D2EB-D792-4566-92BF-DD9EA301B2A2", vulnerable: true, }, ], negate: false, operator: "AND", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", matchCriteriaId: "D14ABF04-E460-4911-9C6C-B7BCEFE68E9D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*", matchCriteriaId: "CCF62B0C-A8BD-40E6-9E4E-E684F4E87ACD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", matchCriteriaId: "ED43772F-D280-42F6-A292-7198284D6FE7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", matchCriteriaId: "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:10.1:*:*:*:*:*:*:*", matchCriteriaId: "54634303-BC07-41EF-8C4A-D64D9A32A40E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", matchCriteriaId: "17EA8B91-7634-4636-B647-1049BA7CA088", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "5B4DF46F-DBCC-41F2-A260-F83A14838F23", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "10F17843-32EA-4C31-B65C-F424447BEF7B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A125E817-F974-4509-872C-B71933F42AD1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*", matchCriteriaId: "00280604-1DC1-4974-BF73-216C5D76FFA3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_converged_application_server:*:*:*:*:*:*:*:*", matchCriteriaId: "EC361999-AAD8-4CB3-B00E-E3990C3529B4", versionEndExcluding: "7.0.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", matchCriteriaId: "CF5A0F0D-313D-4F5C-AD6D-8C118D5CD8D8", versionEndExcluding: "8.3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*", matchCriteriaId: "ABD748C9-24F6-4739-9772-208B98616EE2", versionEndIncluding: "7.3.6", versionStartIncluding: "7.3.2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_performance_intelligence_center:*:*:*:*:*:*:*:*", matchCriteriaId: "468931C8-C76A-4E47-BF00-185D85F719C5", versionEndExcluding: "10.2.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_services_gatekeeper:*:*:*:*:*:*:*:*", matchCriteriaId: "97C1FA4C-5163-420C-A01A-EA36F1039BBB", versionEndExcluding: "6.1.0.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*", matchCriteriaId: "8B65CD29-C729-42AC-925E-014BA19581E2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "7E856B4A-6AE7-4317-921A-35B4D2048652", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*", matchCriteriaId: "51C25F23-6800-48A2-881C-C2A2C3FA045C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*", matchCriteriaId: "BE12B6A4-E128-41EC-8017-558F50B961BE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", matchCriteriaId: "AB654DFA-FEF9-4D00-ADB0-F3F2B6ACF13E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "69300B13-8C0F-4433-A6E8-B2CE32C4723D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_repository:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "F9E13DD9-F456-4802-84AD-A2A1F12FE999", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "1C4A89F2-713D-4A36-9D28-22748D30E0FD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*", matchCriteriaId: "CDFABB2C-2FA2-4F83-985B-7FCEAF274418", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*", matchCriteriaId: "6A609003-8687-40B4-8AC3-06A1534ADE30", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*", matchCriteriaId: "9027528A-4FE7-4E3C-B2DF-CCCED22128F5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*", matchCriteriaId: "2A699D02-296B-411E-9658-5893240605D6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*", matchCriteriaId: "7036576C-2B1F-413D-B154-2DBF9BFDE7E3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", matchCriteriaId: "1A3DC116-2844-47A1-BEC2-D0675DD97148", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", matchCriteriaId: "E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*", matchCriteriaId: "CEE4B2F0-1AAB-4A1F-AE86-A568D43891B3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*", matchCriteriaId: "641D134E-6C51-4DB8-8554-F6B5222EF479", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*", matchCriteriaId: "C79B50C2-27C2-4A9C-ACEE-B70015283F58", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:10.0:*:*:*:*:*:*:*", matchCriteriaId: "9ED4F724-C92F-4B4F-B631-81A4EA706DB2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:10.1:*:*:*:*:*:*:*", matchCriteriaId: "900450EB-A71D-4A8E-B8C4-AFD36F9A36B0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:10.2:*:*:*:*:*:*:*", matchCriteriaId: "68017B52-6597-4E32-A38F-634B5635568C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:11.0:*:*:*:*:*:*:*", matchCriteriaId: "A19D11A6-BA1D-4121-8686-C177C450777F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*", matchCriteriaId: "DB6321F8-7A0A-4DB8-9889-3527023C652A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*", matchCriteriaId: "25F8E604-8180-4728-AD2D-7FF034E3E65A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*", matchCriteriaId: "02867DC7-E669-43C0-ACC4-E1CAA8B9994C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FBAFA631-C92B-4FF7-8E65-07C67789EBCD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*", matchCriteriaId: "9652104A-119D-4327-A937-8BED23C23861", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*", matchCriteriaId: "98EE20FD-3D21-4E23-95B8-7BD13816EB95", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "1D863326-7106-4A08-9072-C72029584403", versionEndIncluding: "8.0.2.8191", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_fin_install:9.2:*:*:*:*:*:*:*", matchCriteriaId: "B21E71BD-DD38-4634-BF9F-092D55000DE6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*", matchCriteriaId: "921B7906-A20A-4313-9398-D542A4198BBF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*", matchCriteriaId: "D09C6958-DD7C-4B43-B7F0-4EE65ED5B582", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*", matchCriteriaId: "1BBFE031-4BD1-4501-AC62-DC0AFC2167B7", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*", matchCriteriaId: "31C7EEA3-AA72-48DA-A112-2923DBB37773", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", matchCriteriaId: "F0735989-13BD-40B3-B954-AC0529C5B53D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*", matchCriteriaId: "83B5F416-56AE-4DC5-BCFF-49702463E716", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", matchCriteriaId: "58405263-E84C-4071-BB23-165D49034A00", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*", matchCriteriaId: "AD4AB77A-E829-4603-AF6A-97B9CD0D687F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*", matchCriteriaId: "6DE15D64-6F49-4F43-8079-0C7827384C86", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*", matchCriteriaId: "ACB5604C-69AF-459D-A82D-8A3B78CF2655", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*", matchCriteriaId: "655CF3AE-B649-4282-B727-8B3C5D829C40", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*", matchCriteriaId: "53CFE454-3E73-4A88-ABEE-322139B169A8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*", matchCriteriaId: "457C8C66-FB0C-4532-9027-8777CF42D17A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*", matchCriteriaId: "FF2B9DA6-2937-4574-90DF-09FD770B23D4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*", matchCriteriaId: "20357086-0C32-44B5-A1FA-79283E88FB47", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*", matchCriteriaId: "237968A4-AE89-44DC-8BA3-D9651F88883D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*", matchCriteriaId: "E13DF2AE-F315-4085-9172-6C8B21AF1C9E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*", matchCriteriaId: "959316A8-C3AF-4126-A242-3835ED0AD1E8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", matchCriteriaId: "BDB925C6-2CBC-4D88-B9EA-F246F4F7A206", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*", matchCriteriaId: "55AE3629-4A66-49E4-A33D-6D81CC94962F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "909A7F73-0164-471B-8EBD-1F70072E9809", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "2CE08DC9-5153-48D6-B23C-68A632FF8FF5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*", matchCriteriaId: "70D4467D-6968-4557-AF61-AFD42B2B48D3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:10.3.6.0:*:*:*:*:*:*:*", matchCriteriaId: "0ABB9BAD-9BBD-4B2D-A0ED-7898812B9446", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "F745235C-55A9-4353-A4CB-4B7834BDD63F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "DAE3D682-1434-4789-8B43-679AE86533FE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*", matchCriteriaId: "CBFF04EF-B1C3-4601-878A-35EA6A15EF0C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*", matchCriteriaId: "6AADE2A6-B78C-4B9C-8FAB-58DB50F69D84", versionStartIncluding: "7.3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*", matchCriteriaId: "7E49ACFC-FD48-4ED7-86E8-68B5B753852C", versionStartIncluding: "9.4", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", matchCriteriaId: "7B7A6697-98CC-4E36-93DB-B7160F8399F9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:7.3.0:*:*:*:*:*:*:*", matchCriteriaId: "407B62F8-F1D8-403D-B342-9EF06D6F128B", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.", }, { lang: "es", value: "La versión 5.0.5 de Spring Framework, cuando se utiliza en combinación con cualquier versión de Spring Security, contiene un omisión de autorización cuando se utiliza la seguridad del método. Un usuario malicioso no autorizado puede obtener acceso no autorizado a métodos que deben ser restringidos.", }, ], id: "CVE-2018-1258", lastModified: "2024-11-21T03:59:28.953", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-05-11T20:29:00.260", references: [ { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "security_alert@emc.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/104222", }, { source: "security_alert@emc.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041888", }, { source: "security_alert@emc.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041896", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2413", }, { source: "security_alert@emc.com", tags: [ "Vendor Advisory", ], url: "https://pivotal.io/security/cve-2018-1258", }, { source: "security_alert@emc.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20181018-0002/", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "security_alert@emc.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/104222", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041896", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2413", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pivotal.io/security/cve-2018-1258", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20181018-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, ], sourceIdentifier: "security_alert@emc.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-863", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2017-04-17 21:59
Modified
2025-04-20 01:37
Severity ?
Summary
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", matchCriteriaId: "A364B542-9D74-48AD-9616-8F16107B3F9C", versionEndExcluding: "2.8.2", versionStartIncluding: "2.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:oncommand_api_services:-:*:*:*:*:*:*:*", matchCriteriaId: "5EC98B22-FFAA-4B59-8E63-EBAA4336AD13", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", matchCriteriaId: "F1BE6C1F-2565-4E97-92AA-16563E5660A5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", matchCriteriaId: "5735E553-9731-4AAC-BCFF-989377F817B3", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*", matchCriteriaId: "7081652A-D28B-494E-94EF-CA88117F23EE", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", matchCriteriaId: "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", matchCriteriaId: "7B7A6697-98CC-4E36-93DB-B7160F8399F9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*", matchCriteriaId: "84FF61DF-D634-4FB5-8DF1-01F631BE1A7A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B99A2411-7F6A-457F-A7BF-EB13C630F902", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", matchCriteriaId: "041F9200-4C01-4187-AE34-240E8277B54D", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", matchCriteriaId: "4EB48767-F095-444F-9E05-D9AC345AB803", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", matchCriteriaId: "5F6FA12B-504C-4DBF-A32E-0548557AA2ED", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", matchCriteriaId: "33C068A4-3780-4EAB-A937-6082DF847564", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", matchCriteriaId: "51EF4996-72F4-4FA4-814F-F5991E7A8318", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*", matchCriteriaId: "D99A687E-EAE6-417E-A88E-D0082BC194CD", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "B353CE99-D57C-465B-AAB0-73EF581127D1", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.4:*:*:*:*:*:*:*", matchCriteriaId: "9EC0D196-F7B8-4BDD-9050-779F7A7FBEE4", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*", matchCriteriaId: "A4E9DD8A-A68B-4A69-8B01-BFF92A2020A8", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "BF77CDCF-B9C9-427D-B2BF-36650FB2148C", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*", matchCriteriaId: "D5F7E11E-FB34-4467-8919-2B6BEAABF665", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", matchCriteriaId: "B76AA310-FEC7-497F-AF04-C3EC1E76C4CC", vulnerable: true, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "825ECE2D-E232-46E0-A047-074B34DB1E97", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*", matchCriteriaId: "A5553591-073B-45E3-999F-21B8BA2EEE22", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", matchCriteriaId: "A125E817-F974-4509-872C-B71933F42AD1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:autovue_vuelink_integration:21.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6FAA9FFE-8F55-4E81-B62F-A5500468AD30", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:autovue_vuelink_integration:21.0.1:*:*:*:*:*:*:*", matchCriteriaId: "C41B952C-B6FD-4244-BEEE-A1EB73503594", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*", matchCriteriaId: "8972497F-6E24-45A9-9A18-EB0E842CB1D4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*", matchCriteriaId: "400509A8-D6F2-432C-A2F1-AD5B8778D0D9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*", matchCriteriaId: "132CE62A-FBFC-4001-81EC-35D81F73AF48", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:bi_publisher:11.1.1.7.0:*:*:*:*:*:*:*", matchCriteriaId: "3D8D08B8-CE61-45A3-BAC2-6D0E7D567B68", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:bi_publisher:11.1.1.9.0:*:*:*:*:*:*:*", matchCriteriaId: "C83DA9A0-2EBC-4298-8412-1A7C4DC88C2B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:bi_publisher:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "9DC56004-4497-4CDD-AE76-5E3DFAE170F0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:bi_publisher:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "274A0CF5-41E8-42E0-9931-F7372A65B9C4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.1:*:*:*:*:*:*:*", matchCriteriaId: "66DCCCD9-2170-4675-A447-FB679BC28A74", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "FD945A04-174C-46A2-935D-4F92631D1018", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_interactive_session_recorder:*:*:*:*:*:*:*:*", matchCriteriaId: "9D5F8F04-7DFB-4B44-90CF-F1372DB8313C", versionEndIncluding: "6.2", versionStartIncluding: "6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_messaging_server:*:*:*:*:*:*:*:*", matchCriteriaId: "A53B6FD8-8367-4915-B4D0-23572F31C539", versionEndExcluding: "8.0.2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*", matchCriteriaId: "ABD748C9-24F6-4739-9772-208B98616EE2", versionEndIncluding: "7.3.6", versionStartIncluding: "7.3.2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_online_mediation_controller:6.1:*:*:*:*:*:*:*", matchCriteriaId: "15817206-C2AD-47B7-B40F-85BB36DB4E78", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_pricing_design_center:11.1:*:*:*:*:*:*:*", matchCriteriaId: "F6C9F582-6C82-4994-9724-22E9575E48B0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_pricing_design_center:12.0:*:*:*:*:*:*:*", matchCriteriaId: "49BB6E9C-B630-4BDC-AEC1-7F031F612D6B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_service_broker:6.0:*:*:*:*:*:*:*", matchCriteriaId: "373C4024-679F-4C37-B408-0FB0D7FD845F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:*", matchCriteriaId: "77120A3C-9A48-45FC-A620-5072AF325ACF", versionEndExcluding: "7.2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:configuration_manager:12.1.2.0.2:*:*:*:*:*:*:*", matchCriteriaId: "8A76F09D-AF43-426B-A04F-79E1CAC51D03", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:configuration_manager:12.1.2.0.5:*:*:*:*:*:*:*", matchCriteriaId: "F5B5E83F-D4FD-4ABB-9B8E-97C0E7571AA5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*", matchCriteriaId: "9D03A8C9-35A5-4B75-9711-7A4A60457307", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_data_quality:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "36CF85A9-2C29-46E7-961E-8ADD0B5822CF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5:*:*:*:*:*:*:*", matchCriteriaId: "36E39918-B2D6-43F0-A607-8FD8BFF6F340", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "1FEB8446-7EAC-4A8D-B6EE-3AAC2294C324", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:12.1.0.5:*:*:*:*:*:*:*", matchCriteriaId: "14480702-4398-4C28-82A6-E7329FB3B650", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:13.2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "6F4E0F9A-D925-43FB-A1B7-452EEAE6BE2D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:*:*:*:*:*:*:*:*", matchCriteriaId: "C2239009-34CE-4E54-992B-835649C9D96F", versionEndIncluding: "13.2.2.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_oracle_database:12.1.0.8:*:*:*:*:*:*:*", matchCriteriaId: "41650E24-8BFD-42F0-A3E2-545118602690", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_oracle_database:13.2.2:*:*:*:*:*:*:*", matchCriteriaId: "C5AFC807-4873-42B3-AEDE-8633A9BDDEF2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "2E3D0D69-6AFF-49DD-9BB4-5C0C6905D14E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:enterprise_manager_for_peoplesoft:13.2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "532955A8-7292-4662-9324-C961587C8657", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "6E3469D7-69E4-4242-B45A-C0CD9E691C4A", versionEndIncluding: "7.3.3.0.2", versionStartIncluding: "7.3.3.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", matchCriteriaId: "1D94C05C-7403-47D3-98D8-2DA8373FEE6F", versionEndIncluding: "8.0.7.0.0", versionStartIncluding: "8.0.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", matchCriteriaId: "46E31100-478A-480C-9518-A6D8FBB94B8B", versionEndIncluding: "8.0.4.0.0", versionStartIncluding: "8.0.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:6.1.1:*:*:*:*:*:*:*", matchCriteriaId: "48D8CC72-A67A-4CB0-948D-53488ACC7826", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.4:*:*:*:*:*:*:*", matchCriteriaId: "8DECBF5C-6C87-424F-A116-DD534EC5946C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.5:*:*:*:*:*:*:*", matchCriteriaId: "3469C84E-50F3-4461-864C-E59174DDC981", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*", matchCriteriaId: "2959030B-A9B7-4423-A2E8-9352FC83C4A2", versionEndIncluding: "14.8.0", versionStartIncluding: "14.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*", matchCriteriaId: "317CA916-61F3-4E24-B42F-610A1C88A5BA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.4:*:*:*:*:*:*:*", matchCriteriaId: "4E7791EF-A99D-4D52-AFC7-157372E88E21", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.5:*:*:*:*:*:*:*", matchCriteriaId: "265B796B-2DDA-43A6-A3A9-1A79676F25C2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_profitability_management:*:*:*:*:*:*:*:*", matchCriteriaId: "D4279644-04B8-4E58-A38D-CD1E4FB1C39C", versionEndIncluding: "8.0.7.0.0", versionStartIncluding: "8.0.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_profitability_management:6.1.1:*:*:*:*:*:*:*", matchCriteriaId: "43422E17-1D41-497E-A60B-31B1B4D6D563", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_regulatory_reporting_with_agilereporter:8.0.9.2.0:*:*:*:*:*:*:*", matchCriteriaId: "C9C146BA-6F4F-4A6F-8E53-8A4F5B8E15D9", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:12.0.4:*:*:*:*:*:*:*", matchCriteriaId: "B0A34DF8-72CC-4A8E-84F2-C2DF4A0B9FAB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:12.1.0:*:*:*:*:*:*:*", matchCriteriaId: "21BE77B2-6368-470E-B9E6-21664D9A818A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:12.3.0:*:*:*:*:*:*:*", matchCriteriaId: "3250073F-325A-4AFC-892F-F2005E3854A5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:12.4.0:*:*:*:*:*:*:*", matchCriteriaId: "0DDDC9C2-33D6-4123-9ABC-C9B809A6E88E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:flexcube_investor_servicing:14.0.0:*:*:*:*:*:*:*", matchCriteriaId: "991A279B-9D7C-4E39-8827-BC21C2C03B83", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.2:*:*:*:*:*:*:*", matchCriteriaId: "D151B58F-5583-4F19-B225-80075B45441B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3:*:*:*:*:*:*:*", matchCriteriaId: "C7D665C9-408A-4039-A2D4-9EE565BC4656", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate:12.3.2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "65B765DA-560B-4367-B9B0-B7369BC4D3DC", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:goldengate_application_adapters:12.3.2.1.1:*:*:*:*:*:*:*", matchCriteriaId: "CECECC34-8112-4328-BA49-39F30BE7874A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:identity_analytics:11.1.1.5.8:*:*:*:*:*:*:*", matchCriteriaId: "B4855252-D6CA-461D-B196-30AFA7482868", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:identity_management_suite:11.1.2.3.0:*:*:*:*:*:*:*", matchCriteriaId: "7A79A489-F37C-420A-83B1-4482A8DFF9BB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "1489DDA7-EDBE-404C-B48D-F0B52B741708", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:identity_manager_connector:9.0:*:*:*:*:*:*:*", matchCriteriaId: "E8BD581B-1CC0-4236-836A-204BBCBBBF77", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:in-memory_performance-driven_planning:12.1:*:*:*:*:*:*:*", matchCriteriaId: "16BBC649-7AA8-4B8E-9A3F-CC62948F0102", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:in-memory_performance-driven_planning:12.2:*:*:*:*:*:*:*", matchCriteriaId: "289702F6-1CC4-4D88-9745-EB0FA68A732B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*", matchCriteriaId: "9A74FD5F-4FEA-4A74-8B92-72DFDE6BA464", versionEndIncluding: "17.3", versionStartIncluding: "17.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*", matchCriteriaId: "CEE4B2F0-1AAB-4A1F-AE86-A568D43891B3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*", matchCriteriaId: "C79B50C2-27C2-4A9C-ACEE-B70015283F58", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:10.0:*:*:*:*:*:*:*", matchCriteriaId: "9ED4F724-C92F-4B4F-B631-81A4EA706DB2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:10.1:*:*:*:*:*:*:*", matchCriteriaId: "900450EB-A71D-4A8E-B8C4-AFD36F9A36B0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:10.2:*:*:*:*:*:*:*", matchCriteriaId: "68017B52-6597-4E32-A38F-634B5635568C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_policy_administration:11.0:*:*:*:*:*:*:*", matchCriteriaId: "A19D11A6-BA1D-4121-8686-C177C450777F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*", matchCriteriaId: "DB6321F8-7A0A-4DB8-9889-3527023C652A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*", matchCriteriaId: "25F8E604-8180-4728-AD2D-7FF034E3E65A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*", matchCriteriaId: "02867DC7-E669-43C0-ACC4-E1CAA8B9994C", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FBAFA631-C92B-4FF7-8E65-07C67789EBCD", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*", matchCriteriaId: "9652104A-119D-4327-A937-8BED23C23861", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0:*:*:*:*:*:*:*", matchCriteriaId: "A055CAA6-F789-4E63-A212-84DBAC4BF044", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*", matchCriteriaId: "41684398-18A4-4DC6-B8A2-3EBAA0CBF9A6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*", matchCriteriaId: "A7506589-9B3B-49BA-B826-774BFDCC45B8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "042C243F-EDFE-4A04-AB0B-26E73CC34837", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "228DA523-4D6D-48C5-BDB0-DB1A60F23F8B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "48D04F3B-A385-4D8C-BD05-53006452346A", versionEndIncluding: "3.4.7.4297", versionStartIncluding: "3.4.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "4424C7C9-508B-4824-91A7-AFA1D8C8C698", versionEndIncluding: "4.0.4.5235", versionStartIncluding: "4.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", matchCriteriaId: "BFFFF50D-D301-4752-B720-4340C69E2A98", versionEndIncluding: "8.0.0.8131", versionStartIncluding: "8.0.0.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:peoplesoft_enterprise_fin_install:9.2:*:*:*:*:*:*:*", matchCriteriaId: "B21E71BD-DD38-4634-BF9F-092D55000DE6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:10.4.7:*:*:*:*:*:*:*", matchCriteriaId: "9D8B3B57-73D6-4402-987F-8AE723D52F94", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.1.0:*:*:*:*:*:*:*", matchCriteriaId: "62BF043E-BCB9-433D-BA09-7357853EE127", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.1.1:*:*:*:*:*:*:*", matchCriteriaId: "3F26FB80-F541-4B59-AC3C-633F49388B59", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.0:*:*:*:*:*:*:*", matchCriteriaId: "07EB8080-B6DE-47F4-B978-F56AEF7294BE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.1:*:*:*:*:*:*:*", matchCriteriaId: "0AE52320-14DB-4BD5-A1E5-6BBE4829923A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.2:*:*:*:*:*:*:*", matchCriteriaId: "2C0B5E4B-BA35-4949-B7EC-70C5F5E44FD8", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.3:*:*:*:*:*:*:*", matchCriteriaId: "165E98B6-9ADA-46A7-92C0-E3624D6D89C5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.4:*:*:*:*:*:*:*", matchCriteriaId: "092C9E61-8A0A-4348-A423-A9312D7D330F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.5:*:*:*:*:*:*:*", matchCriteriaId: "01949739-F799-47FE-9118-617F84903F70", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.6:*:*:*:*:*:*:*", matchCriteriaId: "34FAA06A-F092-452A-B35C-BC133834DA59", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.7:*:*:*:*:*:*:*", matchCriteriaId: "B8A9A0D5-95B9-47BB-8303-03D40DE46678", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.8:*:*:*:*:*:*:*", matchCriteriaId: "F071925B-7B0A-4250-9A25-1221711453FF", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.9:*:*:*:*:*:*:*", matchCriteriaId: "93CF9B92-309E-4356-B8C1-CB161A712479", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation:12.2.10:*:*:*:*:*:*:*", matchCriteriaId: "2CBCA717-6B8B-4CAF-8E9C-57335925CE2F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_connector_for_siebel:10.4.6:*:*:*:*:*:*:*", matchCriteriaId: "0DB5E2C7-9C68-4D3B-95AD-9CBF65DE1E94", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:10.4.7:*:*:*:*:*:*:*", matchCriteriaId: "8FFEC4A8-E000-4921-8563-5BC3B0DC6C5B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.1.0:*:*:*:*:*:*:*", matchCriteriaId: "DDB7DE72-2E0D-427D-AF1E-2BC068D0756B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.1.1:*:*:*:*:*:*:*", matchCriteriaId: "4C64A19B-BC3D-4C84-AE38-75EEAE3B5BEA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.0:*:*:*:*:*:*:*", matchCriteriaId: "5825956B-B0DD-4083-8E50-B8148F9F438E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.1:*:*:*:*:*:*:*", matchCriteriaId: "691A45D3-A594-4E95-9894-87B9FD6BE833", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.2:*:*:*:*:*:*:*", matchCriteriaId: "2F36C640-592C-4081-8B97-2432BF7DD1F6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C477753B-2716-4266-815B-5BABDDFE1FDA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.4:*:*:*:*:*:*:*", matchCriteriaId: "9F94F4C7-8E3E-4D0E-A5E7-E8D4E2D21D6D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.5:*:*:*:*:*:*:*", matchCriteriaId: "CBCF09A6-8A57-40F4-9EB3-48F4806B4803", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.6:*:*:*:*:*:*:*", matchCriteriaId: "CBBE93A9-5628-4176-866E-88DE10B9778D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.7:*:*:*:*:*:*:*", matchCriteriaId: "FDB71361-D75B-4937-A48E-C2C0064E09FB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.8:*:*:*:*:*:*:*", matchCriteriaId: "FEB68145-0577-472D-B310-A7BF065ADA9E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.9:*:*:*:*:*:*:*", matchCriteriaId: "56961578-6FCB-489C-8431-22F9D263DFFA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:policy_automation_for_mobile_devices:12.2.10:*:*:*:*:*:*:*", matchCriteriaId: "93EA52BF-E710-4309-9272-8F81D5751ABA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "06CF27F6-ADC1-480C-9D2E-2BD1E7330C32", versionEndIncluding: "16.2.11", versionStartIncluding: "16.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", matchCriteriaId: "E4AA3854-C9FD-4287-85A0-EE7907D1E1ED", versionEndIncluding: "17.12.7", versionStartIncluding: "17.12.0", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*", matchCriteriaId: "19A0F1AF-F2E6-44E7-8E2D-190E103B72D3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*", matchCriteriaId: "6D53690D-3390-4A27-988A-709CD89DD05B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.0:*:*:*:*:*:*:*", matchCriteriaId: "A25285DC-9E51-44F8-818A-86A79B3565DA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:*:*:*:*:*:*:*", matchCriteriaId: "517E0654-F1DE-43C4-90B5-FB90CA31734B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_clearance_optimization_engine:14.0.5:*:*:*:*:*:*:*", matchCriteriaId: "FE91D517-D85D-4A8D-90DC-4561BBF8670E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.0:*:*:*:*:*:*:*", matchCriteriaId: "202DE5CB-B3D4-4289-9AA2-24E9CE266EE3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.1:*:*:*:*:*:*:*", matchCriteriaId: "2F7D07CB-15D2-424D-8E25-7AC59ACFFD05", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2:*:*:*:*:*:*:*", matchCriteriaId: "AE02A69E-F820-4261-8D7E-9B1021E5A9AB", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*", matchCriteriaId: "4E306B67-E1BD-4A67-A77D-A7DC72D5B957", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.0.0:*:*:*:*:*:*:*", matchCriteriaId: "CB5F56EC-8415-4BA1-9D8A-C77F4BB1AF62", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:14.1.0:*:*:*:*:*:*:*", matchCriteriaId: "965BCB93-2DED-41FD-972E-FF5958691A35", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*", matchCriteriaId: "42064F46-3012-4FB1-89BA-F13C2E4CBB6B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*", matchCriteriaId: "F73E2EFA-0F43-4D92-8C7D-9E66811B76D6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_open_commerce_platform:5.3.0:*:*:*:*:*:*:*", matchCriteriaId: "07630491-0624-4C5C-A858-C5D3CDCD1B68", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.0:*:*:*:*:*:*:*", matchCriteriaId: "EC9CA11F-F718-43E5-ADB9-6C348C75E37A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_open_commerce_platform:6.0.1:*:*:*:*:*:*:*", matchCriteriaId: "9FBAAD32-1E9D-47F1-9F47-76FEA47EF54F", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_predictive_application_server:15.0.3:*:*:*:*:*:*:*", matchCriteriaId: "24A3C819-5151-4543-A5C6-998C9387C8A2", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*", matchCriteriaId: "378A6656-252B-4929-83EA-BC107FDFD357", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*", matchCriteriaId: "363395FA-C296-4B2B-9D6F-BCB8DBE6FACE", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*", matchCriteriaId: "F62A2144-5EF8-4319-B8C2-D7975F51E5FA", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:siebel_ui_framework:18.7:*:*:*:*:*:*:*", matchCriteriaId: "EBAE649F-0389-4875-A995-E73E287AB342", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:siebel_ui_framework:18.8:*:*:*:*:*:*:*", matchCriteriaId: "9D5EC241-7D11-47F4-8B41-D362651A5E8B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:siebel_ui_framework:18.9:*:*:*:*:*:*:*", matchCriteriaId: "8FCB6791-EBFA-4620-ABD4-D55CDCF3EA9D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:soa_suite:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "AF4C318C-5D1E-479B-9597-9FAD9E186111", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:soa_suite:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "65994DC4-C9C0-48B0-88AB-E2958B4EB9E3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:soa_suite:12.2.2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "4580A7AB-54A9-4784-9087-A3F107258593", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*", matchCriteriaId: "70D4467D-6968-4557-AF61-AFD42B2B48D3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:timesten_in-memory_database:11.2.2.8.49:*:*:*:*:*:*:*", matchCriteriaId: "F9EB3DE5-142C-43A5-9735-CB73C54D42E4", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_advanced_spatial_and_operational_analytics:2.7.0.1:*:*:*:*:*:*:*", matchCriteriaId: "6FD0EC40-B96B-4E9C-9A81-4E65C4B9512E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:utilities_work_and_asset_management:1.9.1.2.12:*:*:*:*:*:*:*", matchCriteriaId: "BB1011D4-E5EE-4722-B644-D522EFC6337A", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*", matchCriteriaId: "B40B13B7-68B3-4510-968C-6A730EB46462", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*", matchCriteriaId: "C93CC705-1F8C-4870-99E6-14BF264C3811", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*", matchCriteriaId: "F14A818F-AA16-4438-A3E4-E64C9287AC66", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "04BCDC24-4A21-473C-8733-0D9CFB38A752", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.", }, { lang: "es", value: "En Apache Log4j 2.x en versiones anteriores a 2.8.2, cuando se utiliza el servidor de socket TCP o el servidor de socket UDP para recibir sucesos de registro serializados de otra aplicación, puede enviarse una carga binaria especialmente diseñada que, cuando se deserializa, puede ejecutar código arbitrario.", }, ], id: "CVE-2017-5645", lastModified: "2025-04-20T01:37:25.860", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2017-04-17T21:59:00.373", references: [ { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { source: "security@apache.org", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { source: "security@apache.org", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "security@apache.org", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/97702", }, { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1040200", }, { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041294", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1417", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2423", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2633", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2635", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2636", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2637", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2638", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3244", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3399", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3400", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { source: "security@apache.org", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9%40%3Cdev.logging.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc%40%3Cdev.logging.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287%40%3Cissues.beam.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83%40%3Cgithub.beam.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f%40%3Cgithub.beam.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd%40%3Cgithub.beam.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d%40%3Ccommits.logging.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8%40%3Cgithub.beam.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422%40%3Ccommits.doris.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44%40%3Cgithub.beam.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3Cdev.tika.apache.org%3E", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/97702", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1040200", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1041294", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1417", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2423", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2633", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2635", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2636", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2637", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2638", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3244", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3399", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2017:3400", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9%40%3Cdev.logging.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc%40%3Cdev.logging.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287%40%3Cissues.beam.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83%40%3Cgithub.beam.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f%40%3Cgithub.beam.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd%40%3Cgithub.beam.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d%40%3Ccommits.logging.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8%40%3Cgithub.beam.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422%40%3Ccommits.doris.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44%40%3Cgithub.beam.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3Cdev.tika.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-05-23 14:29
Modified
2024-11-21 04:16
Severity ?
Summary
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | activemq | 5.15.9 | |
| apache | drill | 1.16.0 | |
| apache | zookeeper | * | |
| apache | zookeeper | 3.5.0 | |
| apache | zookeeper | 3.5.0 | |
| apache | zookeeper | 3.5.0 | |
| apache | zookeeper | 3.5.1 | |
| apache | zookeeper | 3.5.1 | |
| apache | zookeeper | 3.5.1 | |
| apache | zookeeper | 3.5.1 | |
| apache | zookeeper | 3.5.1 | |
| apache | zookeeper | 3.5.1 | |
| apache | zookeeper | 3.5.1 | |
| apache | zookeeper | 3.5.2 | |
| apache | zookeeper | 3.5.2 | |
| apache | zookeeper | 3.5.2 | |
| apache | zookeeper | 3.5.2 | |
| apache | zookeeper | 3.5.3 | |
| apache | zookeeper | 3.5.3 | |
| apache | zookeeper | 3.5.3 | |
| apache | zookeeper | 3.5.3 | |
| apache | zookeeper | 3.5.4 | |
| debian | debian_linux | 8.0 | |
| debian | debian_linux | 9.0 | |
| redhat | fuse | 1.0.0 | |
| oracle | goldengate_stream_analytics | * | |
| oracle | siebel_core_-_server_framework | * | |
| oracle | timesten_in-memory_database | * | |
| netapp | hci_bootstrap_os | - | |
| netapp | hci_compute_node | - | |
| netapp | element_software | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:activemq:5.15.9:*:*:*:*:*:*:*", matchCriteriaId: "70B11FEF-4CBF-4483-A5BD-CDA5AFAE52AE", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:drill:1.16.0:*:*:*:*:*:*:*", matchCriteriaId: "235DC57F-22B8-4219-9499-7D005D90A654", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:*:*:*:*:*:*:*:*", matchCriteriaId: "19FD698D-914D-46C3-810B-F749CD0C0DE8", versionEndIncluding: "3.4.13", versionStartIncluding: "1.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.0:-:*:*:*:*:*:*", matchCriteriaId: "3B1074FD-02DC-4CDC-A8F2-4CE0827539B6", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.0:alpha:*:*:*:*:*:*", matchCriteriaId: "2F0F84E2-88CE-4350-B342-DA761D43682E", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.0:rc0:*:*:*:*:*:*", matchCriteriaId: "ACB3229A-F1BA-4AA7-916A-9061BE561AD4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.1:-:*:*:*:*:*:*", matchCriteriaId: "0E5C9D62-F9A2-4961-8440-9DF6F5C213D8", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.1:alpha:*:*:*:*:*:*", matchCriteriaId: "A0C88D5A-86CD-41D3-B453-6060482E84E3", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.1:rc0:*:*:*:*:*:*", matchCriteriaId: "24BEEE1F-5408-43F8-B662-B826349E97D8", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.1:rc1:*:*:*:*:*:*", matchCriteriaId: "4031DB88-F356-458F-BC77-91B62744A466", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.1:rc2:*:*:*:*:*:*", matchCriteriaId: "AB019BEC-6C42-4A51-9C45-389B6529CE96", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.1:rc3:*:*:*:*:*:*", matchCriteriaId: "107E465A-A904-4198-8171-3D764B9F1C19", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.1:rc4:*:*:*:*:*:*", matchCriteriaId: "D5DE5D25-B8A9-4172-80FF-D430D47AE96A", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.2:-:*:*:*:*:*:*", matchCriteriaId: "3E2EB460-5B43-42E3-98AF-FB08B0C94957", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.2:alpha:*:*:*:*:*:*", matchCriteriaId: "9C89705C-D40E-4C7D-A019-809D32AC1A98", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.2:rc0:*:*:*:*:*:*", matchCriteriaId: "738C3017-324B-46AB-8D71-5202E31DBC97", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.2:rc1:*:*:*:*:*:*", matchCriteriaId: "39BE8DA0-6839-4E59-838F-E0D6A4F96D3B", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.3:-:*:*:*:*:*:*", matchCriteriaId: "09C66E38-BDA9-42A6-8DBE-4E8781AE8394", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.3:beta:*:*:*:*:*:*", matchCriteriaId: "81C99F52-0D85-41C8-A0DA-CE29C917ADDC", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.3:rc0:*:*:*:*:*:*", matchCriteriaId: "9B94B4B9-2B39-4879-BC68-2E4DEC57650D", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.3:rc1:*:*:*:*:*:*", matchCriteriaId: "3E6AADAF-368B-4143-AE49-736A4101D732", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:zookeeper:3.5.4:beta:*:*:*:*:*:*", matchCriteriaId: "C392B5BC-1B19-49CB-B43F-D485EC4DC094", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0.0:*:*:*:*:*:*:*", matchCriteriaId: "0F31D7E8-D31D-4268-9ABF-3733915AA226", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:goldengate_stream_analytics:*:*:*:*:*:*:*:*", matchCriteriaId: "F4E7F2AA-B851-4D85-9895-2CDD6BE9FCB4", versionEndExcluding: "19.1.0.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:siebel_core_-_server_framework:*:*:*:*:*:*:*:*", matchCriteriaId: "F9C855EA-6E35-4EFF-ADEB-0EDFF90272BD", versionEndIncluding: "21.5", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*", matchCriteriaId: "3CFFA207-BDA9-4088-890E-99D9A30421D8", versionEndExcluding: "18.1.3.1.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:netapp:hci_bootstrap_os:-:*:*:*:*:*:*:*", matchCriteriaId: "1C767AA1-88B7-48F0-9F31-A89D16DCD52C", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*", matchCriteriaId: "AD7447BC-F315-4298-A822-549942FC118B", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", matchCriteriaId: "85DF4B3F-4BBC-42B7-B729-096934523D63", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.", }, { lang: "es", value: "Hay un problema presente en Apache ZooKeeper 1.0.0 a 3.4.13 y 3.5.0-alpha a 3.5.4-beta. El comando getACL () de ZooKeeper no verifica ningún permiso cuando recupera las ACL del nodo solicitado y devuelve toda la información contenida en el campo Id. De ACL como cadena de texto sin formato. DigestAuthenticationProvider sobrecarga el campo Id con el valor hash que se utiliza para la autenticación del usuario. Como consecuencia, si la autenticación implícita está en uso, el valor hash sin sal será revelado por la solicitud getACL () para usuarios no autenticados o no privilegiados.", }, ], id: "CVE-2019-0201", lastModified: "2024-11-21T04:16:28.487", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.9, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-05-23T14:29:07.517", references: [ { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/108427", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3140", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { source: "security@apache.org", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", }, { source: "security@apache.org", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Jun/13", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190619-0001/", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2019/dsa-4461", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "security@apache.org", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { source: "security@apache.org", tags: [ "Vendor Advisory", ], url: "https://zookeeper.apache.org/security.html#CVE-2019-0201", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/108427", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3140", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Vendor Advisory", ], url: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://seclists.org/bugtraq/2019/Jun/13", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20190619-0001/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2019/dsa-4461", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://zookeeper.apache.org/security.html#CVE-2019-0201", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2019-03-25 22:29
Modified
2024-11-21 04:16
Severity ?
Summary
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", matchCriteriaId: "CA0695E0-954A-4533-9D93-58257E9EA6D5", versionEndExcluding: "1.4.3", versionStartIncluding: "1.4.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", matchCriteriaId: "B51B8DF0-FCE4-42A7-A582-0476226C6188", versionEndExcluding: "1.5.3", versionStartIncluding: "1.5.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", matchCriteriaId: "01878119-E05A-469B-B49D-5D19082CED28", versionEndExcluding: "1.6.2", versionStartIncluding: "1.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:mesos:*:*:*:*:*:*:*:*", matchCriteriaId: "1AB1BB7C-46A1-4676-9D15-D75EC1E4594C", versionEndExcluding: "1.7.2", versionStartIncluding: "1.7.0", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:mesos:1.8.0:dev:*:*:*:*:*:*", matchCriteriaId: "E5262F5B-F30B-42AF-9D48-77041AC709AB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:7.5.0:*:*:*:*:*:*:*", matchCriteriaId: "ECF2CBAC-69B9-41A5-9999-6C07090A6204", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.", }, { lang: "es", value: "Una imagen Docker especialmente manipulada que se ejecuta bajo un usuario root puede sobrescribir el binario init helper del tiempo de ejecución del contenedor y/o del ejecutor de comandos en Apache Mesos, en versiones pre-1.4.x, de 1.4.0 a 1.4.2, de 1.5.0 a 1.5.2, de 1.6.0 a 1.6.1 y de 1.7.0 a 1.7.1. Un actor malicioso puede, por lo tanto, lograr la ejecución de código de nivel root en el host.", }, ], id: "CVE-2019-0204", lastModified: "2024-11-21T04:16:28.980", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 9.3, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-03-25T22:29:00.730", references: [ { source: "security@apache.org", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/107605", }, { source: "security@apache.org", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { source: "security@apache.org", url: "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/107605", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E", }, ], sourceIdentifier: "security@apache.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-08-23 16:15
Modified
2024-11-21 06:22
Severity ?
Summary
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2021-3690 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1991299 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877 | Patch, Third Party Advisory | |
| secalert@redhat.com | https://issues.redhat.com/browse/UNDERTOW-1935 | Exploit, Issue Tracking, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2021-3690 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1991299 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.redhat.com/browse/UNDERTOW-1935 | Exploit, Issue Tracking, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | fuse | 1.0 | |
| redhat | integration_camel_k | - | |
| redhat | integration_camel_quarkus | - | |
| redhat | jboss_enterprise_application_platform | - | |
| redhat | openshift_application_runtimes | - | |
| redhat | single_sign-on | - | |
| redhat | undertow | * | |
| redhat | undertow | * | |
| redhat | jboss_enterprise_application_platform | 7.3 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | jboss_enterprise_application_platform | 7.4 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", matchCriteriaId: "B87C8AD3-8878-4546-86C2-BF411876648C", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*", matchCriteriaId: "F039C746-2001-4EE5-835F-49607A94F12B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*", matchCriteriaId: "ADB40F59-CAAE-47D6-850C-12619D8D5B34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", matchCriteriaId: "542D0A09-0EF5-4BDB-AEE2-98E6FC6AB379", versionEndExcluding: "2.0.40", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:undertow:*:*:*:*:*:*:*:*", matchCriteriaId: "B8982494-EED0-4EF7-8DF4-C8DB7D0D5F95", versionEndExcluding: "2.2.10", versionStartIncluding: "2.1.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.", }, { lang: "es", value: "Se ha encontrado un fallo en Undertow. Un filtrado de búfer en el mensaje entrante de WebSocket PONG puede conllevar a el agotamiento de la memoria. Este fallo permite a un atacante causar una denegación de servicio. La mayor amenaza de esta vulnerabilidad es la disponibilidad.", }, ], id: "CVE-2021-3690", lastModified: "2024-11-21T06:22:09.833", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-23T16:15:09.450", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2021-3690", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991299", }, { source: "secalert@redhat.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Issue Tracking", "Mitigation", "Vendor Advisory", ], url: "https://issues.redhat.com/browse/UNDERTOW-1935", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2021-3690", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1991299", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Mitigation", "Vendor Advisory", ], url: "https://issues.redhat.com/browse/UNDERTOW-1935", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-401", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2018-03-16 20:29
Modified
2024-11-21 03:59
Severity ?
Summary
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | spring_framework | * | |
| vmware | spring_framework | * | |
| vmware | spring_security | * | |
| vmware | spring_security | * | |
| vmware | spring_security | * | |
| redhat | fuse | 1.0 | |
| oracle | rapid_planning | 12.1 | |
| oracle | rapid_planning | 12.2 | |
| oracle | retail_xstore_point_of_service | 7.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", matchCriteriaId: "47399570-353A-40AC-B3C7-2E78232261DB", versionEndExcluding: "4.3.14", versionStartIncluding: "4.3.0", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*", matchCriteriaId: "F3AA57D0-0A3A-4B0C-B208-A5F272F722A8", versionEndExcluding: "5.0.3", versionStartIncluding: "5.0.0", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", matchCriteriaId: "349CCF1E-320D-4411-98E4-B5B001376782", versionEndExcluding: "4.1.5", versionStartIncluding: "4.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", matchCriteriaId: "DE8984CF-8B79-4267-B984-66817478638A", versionEndExcluding: "4.2.4", versionStartIncluding: "4.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:vmware:spring_security:*:*:*:*:*:*:*:*", matchCriteriaId: "B583A62A-EF04-4664-B8F5-57A02D833F75", versionEndExcluding: "5.0.1", versionStartIncluding: "5.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fuse:1.0:*:*:*:*:*:*:*", matchCriteriaId: "077732DB-F5F3-4E9C-9AC0-8142AB85B32F", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*", matchCriteriaId: "19A0F1AF-F2E6-44E7-8E2D-190E103B72D3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*", matchCriteriaId: "6D53690D-3390-4A27-988A-709CD89DD05B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*", matchCriteriaId: "A0ED83E3-E6BF-4EAA-AF8F-33485A88A218", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.", }, { lang: "es", value: "Spring Security (Spring Security en versiones 4.1.x anteriores a la 4.1.5, versiones 4.2.x anteriores a la 4.2.4 y versiones 5.0.x anteriores a la 5.0.1; y Spring Framework en versiones 4.3.x anteriores a la 4.3.14 y versiones 5.0.x anteriores a la 5.0.3) no tiene en cuenta los parámetros de ruta de URL al procesar limitaciones de seguridad. Al añadir un parámetro de ruta URL con codificaciones especiales, un atacante podría ser capaz de omitir una limitación de seguridad. La causa raíz de este problema es la falta de claridad con respecto a la gestión de los parámetros de ruta en Servlet Specification. Algunos contenedores de Servlet incluyen parámetros de ruta en el valor devuelto a getPathInfo(), pero otros no. Spring Security emplea el valor devuelto por getPathInfo() como parte del proceso de mapeo de peticiones a limitaciones de seguridad. En este ataque en concreto, las diferentes codificaciones de caracteres empleadas en los parámetros de ruta permiten la omisión de URL de recursos estáticos seguros de Spring MVC.", }, ], id: "CVE-2018-1199", lastModified: "2024-11-21T03:59:22.800", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2018-03-16T20:29:00.430", references: [ { source: "security_alert@emc.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2405", }, { source: "security_alert@emc.com", url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E", }, { source: "security_alert@emc.com", url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E", }, { source: "security_alert@emc.com", url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { source: "security_alert@emc.com", tags: [ "Vendor Advisory", ], url: "https://pivotal.io/security/cve-2018-1199", }, { source: "security_alert@emc.com", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:2405", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3Cissues.activemq.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://pivotal.io/security/cve-2018-1199", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, ], sourceIdentifier: "security_alert@emc.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-08-24 16:15
Modified
2024-11-21 06:37
Severity ?
Summary
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2021-4178 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2034388 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://github.com/advisories/GHSA-98g7-rxmf-rrxm | Third Party Advisory | |
| secalert@redhat.com | https://github.com/fabric8io/kubernetes-client/issues/3653 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2021-4178 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2034388 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/advisories/GHSA-98g7-rxmf-rrxm | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/fabric8io/kubernetes-client/issues/3653 | Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | fabric8-kubernetes | * | |
| redhat | fabric8-kubernetes | * | |
| redhat | fabric8-kubernetes | * | |
| redhat | fabric8-kubernetes | * | |
| redhat | fabric8-kubernetes | * | |
| redhat | fabric8-kubernetes | * | |
| redhat | fabric8-kubernetes | 5.0.0 | |
| redhat | fabric8-kubernetes | 5.8.0 | |
| redhat | a-mq_streams | 2.0.1 | |
| redhat | build_of_quarkus | 2.2.5 | |
| redhat | descision_manager | 7.0 | |
| redhat | fuse | 7.11 | |
| redhat | integration_camel_k | - | |
| redhat | integration_camel_quarkus | 2.2.1 | |
| redhat | openshift_application_runtimes | - | |
| redhat | process_automation | 7.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:fabric8-kubernetes:*:*:*:*:*:*:*:*", matchCriteriaId: "9C5E8807-F660-4409-A21C-754651357607", versionEndExcluding: "5.0.3", versionStartIncluding: "5.0.1", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fabric8-kubernetes:*:*:*:*:*:*:*:*", matchCriteriaId: "D7917BF3-0004-425B-81FB-B8FC91B67AC9", versionEndExcluding: "5.1.2", versionStartIncluding: "5.1.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fabric8-kubernetes:*:*:*:*:*:*:*:*", matchCriteriaId: "EB204B60-8C18-4CB9-87AD-881554AA3670", versionEndExcluding: "5.3.2", versionStartIncluding: "5.2.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fabric8-kubernetes:*:*:*:*:*:*:*:*", matchCriteriaId: "D84A3A14-3DF4-4FAB-B0DA-844C71D5DDE6", versionEndExcluding: "5.7.4", versionStartIncluding: "5.5.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fabric8-kubernetes:*:*:*:*:*:*:*:*", matchCriteriaId: "7E9612B1-9CD0-4D67-A081-7C6FAE15C67A", versionEndExcluding: "5.10.2", versionStartIncluding: "5.9.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fabric8-kubernetes:*:*:*:*:*:*:*:*", matchCriteriaId: "B44CBDE1-11E2-437A-8E18-FDF2BEA698E3", versionEndExcluding: "5.11.2", versionStartIncluding: "5.11.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fabric8-kubernetes:5.0.0:beta1:*:*:*:*:*:*", matchCriteriaId: "1C52990C-0DA1-470A-9C32-89AE565F8F4F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fabric8-kubernetes:5.8.0:*:*:*:*:*:*:*", matchCriteriaId: "9F5C7BC4-0891-42A0-85EA-A2C3AE54F383", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:a-mq_streams:2.0.1:*:*:*:*:*:*:*", matchCriteriaId: "40D55461-678A-494A-B678-3D491E657D2C", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:build_of_quarkus:2.2.5:*:*:*:*:*:*:*", matchCriteriaId: "B65B37D5-BC88-4BD7-A2A9-DE96C8F01C65", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*", matchCriteriaId: "D5863BBF-829E-44EF-ACE8-61D5037251F6", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fuse:7.11:*:*:*:*:*:*:*", matchCriteriaId: "3CB90AE6-BE72-47F4-8888-1232E297AF68", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*", matchCriteriaId: "B87C8AD3-8878-4546-86C2-BF411876648C", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:integration_camel_quarkus:2.2.1:*:*:*:*:*:*:*", matchCriteriaId: "5D9347A4-D0A9-4EC5-959B-877FFC2F93CE", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*", matchCriteriaId: "A33441B3-B301-426C-A976-08CE5FE72EFB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "20A6B40D-F991-4712-8E30-5FE008505CB7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.", }, { lang: "es", value: "Se ha encontrado un fallo de ejecución de código arbitrario en el cliente de Kubernetes Fabric 8 afectando a versiones 5.0.0-beta-1 y superiores. Debido a una configuración incorrecta del análisis de YAML, esto permitirá a un atacante local y con privilegios suministrar YAML malicioso.", }, ], id: "CVE-2021-4178", lastModified: "2024-11-21T06:37:04.627", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 6.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-08-24T16:15:09.770", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2021-4178", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2034388", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://github.com/advisories/GHSA-98g7-rxmf-rrxm", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/fabric8io/kubernetes-client/issues/3653", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2021-4178", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2034388", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/advisories/GHSA-98g7-rxmf-rrxm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/fabric8io/kubernetes-client/issues/3653", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2020-07-06 19:15
Modified
2024-11-21 04:27
Severity ?
Summary
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*", matchCriteriaId: "A0960BC3-6311-47BC-8A26-64352815D61D", versionEndExcluding: "5.3.18", vulnerable: true, }, { criteria: "cpe:2.3:a:hibernate:hibernate_orm:*:*:*:*:*:*:*:*", matchCriteriaId: "DC6F089C-BBE4-4E11-BAC8-3CD6ADE1CA28", versionEndExcluding: "5.4.18", versionStartIncluding: "5.4.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:text-only:*:*:*", matchCriteriaId: "C4724F20-5376-4FB0-8DFA-A75004E2F60D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*", matchCriteriaId: "68146098-58F8-417E-B165-5182527117C4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:fuse:*:*:*:*:*:*:*:*", matchCriteriaId: "BE29E03D-4680-49E1-8DB4-17B2705E9FBF", versionEndExcluding: "7.8.0", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*", matchCriteriaId: "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:text-only:*:*:*", matchCriteriaId: "B8423D7F-3A8F-4AD8-BF51-245C9D8DD816", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_middleware_text-only_advisories:-:*:*:*:*:*:*:*", matchCriteriaId: "434B744A-9665-4340-B02D-7923FCB2B562", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", matchCriteriaId: "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*", matchCriteriaId: "704CFA1A-953E-4105-BFBE-406034B83DED", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*", matchCriteriaId: "EB7F358B-5E56-41AB-BB8A-23D3CB7A248B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", matchCriteriaId: "2A9BF484-A446-4315-B748-F4723622C464", versionEndIncluding: "1.5.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.4:*:*:*:*:*:*:*", matchCriteriaId: "645A908C-18C2-4AB1-ACE7-3969E3A552A5", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3:*:*:*:*:*:*:*", matchCriteriaId: "B4911A72-5FAE-47C5-A141-2E3CA8E1CCAB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*", matchCriteriaId: "0C3AA5CE-9ACB-4E96-A4C1-50A662D641FB", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", }, { lang: "es", value: "Se encontró un fallo en Hibernate ORM en versiones anteriores a 5.3.18, 5.4.18 y 5.5.0.Beta1. Una inyección SQL en la implementación de la API JPA Criteria puede permitir literales no saneados cuando es usado un literal en las partes de la consulta SELECT o GROUP BY. Este fallo podría permitir a un atacante acceder a información no autorizada o posiblemente conducir a nuevos ataques", }, ], id: "CVE-2019-14900", lastModified: "2024-11-21T04:27:38.783", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 8, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2020-07-06T19:15:12.230", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1666499", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/r833c1276e41334fa675848a08daf0c61f39009f9f9a400d9f7006d44%40%3Cdev.turbine.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220210-0020/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
var-201805-1190
Vulnerability from variot
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. An attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Pivotal Software Spring Framework is a set of open source Java and JavaEE application frameworks from Pivotal Software in the United States. The framework helps developers build high-quality applications. Pivotal Software Spring Security is a set of security framework provided by American Pivotal Software Company to provide descriptive security protection for Spring-based applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Fuse 7.4.0 security update Advisory ID: RHSA-2019:2413-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2019:2413 Issue date: 2019-08-08 CVE Names: CVE-2016-10750 CVE-2018-1258 CVE-2018-1320 CVE-2018-8088 CVE-2018-10899 CVE-2018-15758 CVE-2019-0192 CVE-2019-3805 ==================================================================== 1. Summary:
A minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
-
hazelcast: java deserialization in join cluster procedure leading to remote code execution (CVE-2016-10750)
-
slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution (CVE-2018-8088)
-
jolokia: system-wide CSRF that could lead to Remote Code Execution (CVE-2018-10899)
-
spring-security-oauth: Privilege escalation by manipulating saved authorization request (CVE-2018-15758)
-
solr: remote code execution due to unsafe deserialization (CVE-2019-0192)
-
thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class (CVE-2018-1320)
-
spring-security-core: Unauthorized Access with Spring Security Method Security (CVE-2018-1258)
-
wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Installation instructions are available from the Fuse 7.4.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/
- Bugs fixed (https://bugzilla.redhat.com/):
1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution 1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security 1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution 1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class 1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization 1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution
- References:
https://access.redhat.com/security/cve/CVE-2016-10750 https://access.redhat.com/security/cve/CVE-2018-1258 https://access.redhat.com/security/cve/CVE-2018-1320 https://access.redhat.com/security/cve/CVE-2018-8088 https://access.redhat.com/security/cve/CVE-2018-10899 https://access.redhat.com/security/cve/CVE-2018-15758 https://access.redhat.com/security/cve/CVE-2019-0192 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.4.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXUv0xNzjgjWX9erEAQhCzRAAjdpuIeE+WhWxaZpzsfh333p6RXGKoB8g 4BGVD7yZjSNoPmRzkSuaNUTT0wYZdRLSNeYK1FvxqZlTBesHbe3IV80gDNiV2vad VzwNYukUoa6s8hdzKY/zCKwhuZ5cWkk+FLjFAPEfZt2Typ3kyYPnK/RxNnzfeSgc 90xh60LImUIJK/hGyOL40z8pGFbG404TJbdezYnQt0/l0NBGxPqBGOHnIgpZhAgw gNMEglpIrxap4UzwSEzA5tmjRUDHeUBpsUpKsez5XL2ECssqrRyK8Hj/KeacnARF Mnvf4U/lIOamD6Tles8IAFo/kexW+OxKiHbivOFutraLdEXysgkK8Uf5EQqYKW9+ 7OgEuyMxUi5Pbj4kL666iBp5oV95gEHm2zcQEbn65BFJ3nomb5nReHh5t7G0AqHy GYj9dlx84+UG0Fr717Vi586KwtCu6rgdZJS25+0kSCeZk/cowYLW09G+j/+Jk3yg N/uUfoxqmC/A+SyupFh1A9XZg7oZhkB+Qwo6D2+BejiwXsD8Jv4uzrI7U7+Lg/YK UFa2oqArMKNrF0zf9152lqCEpOL8dCO3X8RcB8LmQcapmr1MYGB+18oNT4o3JcY3 Aa1hoi5+2gGgR7HHuqTsxnDXYPtgqR9CMylc5gmYsMFK5W3sNX8Z/qazoH3fIVtu NNAto03aZgE=rpUB -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201805-1190", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "weblogic server", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.2.1.3", }, { model: "weblogic server", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.1.3.0", }, { model: "retail integration bus", scope: "eq", trust: 1.3, vendor: "oracle", version: "14.1.2", }, { model: "retail financial integration", scope: "eq", trust: 1.3, vendor: "oracle", version: "16.0", }, { model: "retail financial integration", scope: "eq", trust: 1.3, vendor: "oracle", version: "15.0", }, { model: "retail financial integration", scope: "eq", trust: 1.3, vendor: "oracle", version: "14.1", }, { model: "retail financial integration", scope: "eq", trust: 1.3, vendor: "oracle", version: "14.0", }, { model: "retail financial integration", scope: "eq", trust: 1.3, vendor: "oracle", version: "13.2", }, { model: "retail customer insights", scope: "eq", trust: 1.3, vendor: "oracle", version: "16.0", }, { model: "retail customer insights", scope: "eq", trust: 1.3, vendor: "oracle", version: "15.0", }, { model: "retail assortment planning", scope: "eq", trust: 1.3, vendor: "oracle", version: "16.0", }, { model: "retail assortment planning", scope: "eq", trust: 1.3, vendor: "oracle", version: "15.0", }, { model: "retail assortment planning", scope: "eq", trust: 1.3, vendor: "oracle", version: "14.1", }, { model: "micros lucas", scope: "eq", trust: 1.3, vendor: "oracle", version: "2.9.5", }, { model: "insurance rules palette", scope: "eq", trust: 1.3, vendor: "oracle", version: "10.2", }, { model: "insurance rules palette", scope: "eq", trust: 1.3, vendor: "oracle", version: "10.0", }, { model: "insurance calculation engine", scope: "eq", trust: 1.3, vendor: "oracle", version: "10.2", }, { model: "hospitality guest access", scope: "eq", trust: 1.3, vendor: "oracle", version: "4.2.1", }, { model: "healthcare master person index", scope: "eq", trust: 1.3, vendor: "oracle", version: "4.0", }, { model: "healthcare master person index", scope: "eq", trust: 1.3, vendor: "oracle", version: "3.0", }, { model: "health sciences information manager", scope: "eq", trust: 1.3, vendor: "oracle", version: "3.0", }, { model: "enterprise manager ops center", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.3.3", }, { model: "application testing suite", scope: "eq", trust: 1.3, vendor: "oracle", version: "13.3.0.1", }, { model: "application testing suite", scope: "eq", trust: 1.3, vendor: "oracle", version: "13.2.0.1", }, { model: "application testing suite", scope: "eq", trust: 1.3, vendor: "oracle", version: "13.1.0.1", }, { model: "application testing suite", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.5.0.3", }, { model: "agile plm", scope: "eq", trust: 1.3, vendor: "oracle", version: "9.3.5", }, { model: "agile plm", scope: "eq", trust: 1.3, vendor: "oracle", version: "9.3.3", }, { model: "agile plm", scope: "eq", trust: 1.3, vendor: "oracle", version: "9.3.6", }, { model: "agile plm", scope: "eq", trust: 1.3, vendor: "oracle", version: "9.3.4", }, { model: "goldengate for big data", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.0.1", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.2", }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.2", }, { model: "retail central office", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "10.1", }, { model: "big data discovery", scope: "eq", trust: 1, vendor: "oracle", version: "1.6.0", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "11.0", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "10.0", }, { model: "enterprise manager for mysql database", scope: "eq", trust: 1, vendor: "oracle", version: "13.2", }, { model: "retail back office", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "communications network integrity", scope: "lte", trust: 1, vendor: "oracle", version: "7.3.6", }, { model: "snapcenter", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications performance intelligence center", scope: "lt", trust: 1, vendor: "oracle", version: "10.2.1", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "10.3.6.0", }, { model: "endeca information discovery integrator", scope: "eq", trust: 1, vendor: "oracle", version: "3.2.0", }, { model: "communications diameter signaling router", scope: "lt", trust: 1, vendor: "oracle", version: "8.3", }, { model: "service architecture leveraging tuxedo", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.2.0.0", }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications network integrity", scope: "gte", trust: 1, vendor: "oracle", version: "7.3.2", }, { model: "goldengate for big data", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.2.1", }, { model: "enterprise repository", scope: "eq", trust: 1, vendor: "oracle", version: "11.1.1.7.0", }, { model: "insurance calculation engine", scope: "eq", trust: 1, vendor: "oracle", version: "10.1.1", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "10.1", }, { model: "hospitality guest access", scope: "eq", trust: 1, vendor: "oracle", version: "4.2.0", }, { model: "oncommand unified manager", scope: "gte", trust: 1, vendor: "netapp", version: "9.4", }, { model: "spring security", scope: "eq", trust: 1, vendor: "pivotal", version: "*", }, { model: "communications converged application server", scope: "lt", trust: 1, vendor: "oracle", version: "7.0.0.1", }, { model: "retail point-of-service", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "fuse", scope: "eq", trust: 1, vendor: "redhat", version: "7.3.0", }, { model: "spring framework", scope: "eq", trust: 1, vendor: "vmware", version: "5.0.5", }, { model: "mysql enterprise monitor", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.2.8191", }, { model: "storage automation store", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "retail returns management", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "goldengate for big data", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.1.1", }, { model: "endeca information discovery integrator", scope: "eq", trust: 1, vendor: "oracle", version: "3.1.0", }, { model: "tape library acsls", scope: "eq", trust: 1, vendor: "oracle", version: "8.4", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "10.2", }, { model: "retail point-of-service", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "oncommand insight", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "oncommand unified manager", scope: "gte", trust: 1, vendor: "netapp", version: "7.3", }, { model: "enterprise repository", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.3.0.0", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "11.1", }, { model: "insurance calculation engine", scope: "eq", trust: 1, vendor: "oracle", version: "10.2.1", }, { model: "application testing suite", scope: "eq", trust: 1, vendor: "oracle", version: "10.1", }, { model: "service architecture leveraging tuxedo", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.3.0.0", }, { model: "retail central office", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "retail returns management", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "retail xstore point of service", scope: "eq", trust: 1, vendor: "oracle", version: "17.0", }, { model: "communications services gatekeeper", scope: "lt", trust: 1, vendor: "oracle", version: "6.1.0.4.0", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "11.0", }, { model: "retail back office", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "peoplesoft enterprise fin install", scope: "eq", trust: 1, vendor: "oracle", version: "9.2", }, { model: "spring framework", scope: "lt", trust: 0.8, vendor: "pivotal", version: "5.0.6", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.2.8", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.2.7", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.3", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.2.5", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.2.9", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.1", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.4", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.0", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.2", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.2.4", }, { model: "spring security", scope: "eq", trust: 0.3, vendor: "pivotal", version: "0", }, { model: "spring framework 5.0.5.release", scope: null, trust: 0.3, vendor: "pivotal", version: null, }, { model: "weblogic server", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.3.60", }, { model: "weblogic server", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.1.3.0", }, { model: "utilities network management system", scope: "eq", trust: 0.3, vendor: "oracle", version: "1.12.0.3", }, { model: "retail service backbone", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0.1", }, { model: "retail predictive application server", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0", }, { model: "retail predictive application server", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0.3.100", }, { model: "retail predictive application server", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1.3.37", }, { model: "retail predictive application server", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0.3.26", }, { model: "primavera gateway", scope: "eq", trust: 0.3, vendor: "oracle", version: "17.12", }, { model: "primavera gateway", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.2", }, { model: "primavera gateway", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.2", }, { model: "mysql enterprise monitor", scope: "eq", trust: 0.3, vendor: "oracle", version: "8.0.2.8191", }, { model: "mysql enterprise monitor", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.0.6.5281", }, { model: "mysql enterprise monitor", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.4.9.4237", }, { model: "hospitality guest access", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.2", }, { model: "flexcube private banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "2.21", }, { model: "flexcube private banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "2.0.0.0", }, { model: "flexcube private banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.1.0.0", }, { model: "flexcube private banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.0.3.0", }, { model: "flexcube private banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.0.1.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.3.0.0.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.2.0.0.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.1.0.5.0", }, { model: "enterprise manager", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.2.0.0", }, { model: "endeca information discovery integrator", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.2", }, { model: "endeca information discovery integrator", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.1", }, { model: "communications unified inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.4", }, { model: "communications unified inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.3.5", }, { model: "communications unified inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.3.4", }, { model: "communications unified inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.3.2", }, { model: "communications services gatekeeper", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0", }, { model: "communications services gatekeeper", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.1", }, { model: "communications performance intelligence center software", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.2", }, { model: "communications performance intelligence center software", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.1.5.1", }, { model: "communications performance intelligence center", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.1.5", }, { model: "communications performance intelligence center", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.1", }, { model: "communications performance intelligence center", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.0.3", }, { model: "communications performance intelligence center", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.1", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0.2", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.1", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.1.6", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.1", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "8.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.0", }, { model: "communications diameter signaling router", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.0", }, { model: "spring framework 5.0.6.release", scope: "ne", trust: 0.3, vendor: "pivotal", version: null, }, { model: "communications services gatekeeper", scope: "ne", trust: 0.3, vendor: "oracle", version: "6.1.0.4.0", }, { model: "communications performance intelligence center software", scope: "ne", trust: 0.3, vendor: "oracle", version: "10.2.1", }, { model: "communications diameter signaling router", scope: "ne", trust: 0.3, vendor: "oracle", version: "8.3", }, ], sources: [ { db: "BID", id: "104222", }, { db: "JVNDB", id: "JVNDB-2018-005018", }, { db: "CNNVD", id: "CNNVD-201805-404", }, { db: "NVD", id: "CVE-2018-1258", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/a:pivotal_software:spring_framework", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2018-005018", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat,Spring Security Team.", sources: [ { db: "CNNVD", id: "CNNVD-201805-404", }, ], trust: 0.6, }, cve: "CVE-2018-1258", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 8, id: "CVE-2018-1258", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 1.9, vectorString: "AV:N/AC:L/Au:S/C:P/I:P/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 6.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 8, id: "VHN-122553", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 0.1, vectorString: "AV:N/AC:L/AU:S/C:P/I:P/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", exploitabilityScore: 2.8, id: "CVE-2018-1258", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 8.8, baseSeverity: "High", confidentialityImpact: "High", exploitabilityScore: null, id: "CVE-2018-1258", impactScore: null, integrityImpact: "High", privilegesRequired: "Low", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2018-1258", trust: 1, value: "HIGH", }, { author: "NVD", id: "CVE-2018-1258", trust: 0.8, value: "High", }, { author: "CNNVD", id: "CNNVD-201805-404", trust: 0.6, value: "HIGH", }, { author: "VULHUB", id: "VHN-122553", trust: 0.1, value: "MEDIUM", }, { author: "VULMON", id: "CVE-2018-1258", trust: 0.1, value: "MEDIUM", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-122553", }, { db: "VULMON", id: "CVE-2018-1258", }, { db: "JVNDB", id: "JVNDB-2018-005018", }, { db: "CNNVD", id: "CNNVD-201805-404", }, { db: "NVD", id: "CVE-2018-1258", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. \nAn attacker can exploit this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks. Pivotal Software Spring Framework is a set of open source Java and JavaEE application frameworks from Pivotal Software in the United States. The framework helps developers build high-quality applications. Pivotal Software Spring Security is a set of security framework provided by American Pivotal Software Company to provide descriptive security protection for Spring-based applications. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat Fuse 7.4.0 security update\nAdvisory ID: RHSA-2019:2413-01\nProduct: Red Hat JBoss Fuse\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:2413\nIssue date: 2019-08-08\nCVE Names: CVE-2016-10750 CVE-2018-1258 CVE-2018-1320\n CVE-2018-8088 CVE-2018-10899 CVE-2018-15758\n CVE-2019-0192 CVE-2019-3805\n====================================================================\n1. Summary:\n\nA minor version update (from 7.3 to 7.4) is now available for Red Hat Fuse. \nThe purpose of this text-only errata is to inform you about the security\nissues fixed in this release. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nThis release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse\n7.3, and includes bug fixes and enhancements, which are documented in the\nRelease Notes document linked to in the References. \n\nSecurity Fix(es):\n\n* hazelcast: java deserialization in join cluster procedure leading to\nremote code execution (CVE-2016-10750)\n\n* slf4j: Deserialisation vulnerability in EventData constructor can allow\nfor arbitrary code execution (CVE-2018-8088)\n\n* jolokia: system-wide CSRF that could lead to Remote Code Execution\n(CVE-2018-10899)\n\n* spring-security-oauth: Privilege escalation by manipulating saved\nauthorization request (CVE-2018-15758)\n\n* solr: remote code execution due to unsafe deserialization (CVE-2019-0192)\n\n* thrift: SASL negotiation isComplete validation bypass in the\norg.apache.thrift.transport.TSaslTransport class (CVE-2018-1320)\n\n* spring-security-core: Unauthorized Access with Spring Security Method\nSecurity (CVE-2018-1258)\n\n* wildfly: Race condition on PID file allows for termination of arbitrary\nprocesses by local users (CVE-2019-3805)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\n3. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nInstallation instructions are available from the Fuse 7.4.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1548909 - CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution\n1578582 - CVE-2018-1258 spring-security-core: Unauthorized Access with Spring Security Method Security\n1601037 - CVE-2018-10899 jolokia: system-wide CSRF that could lead to Remote Code Execution\n1643048 - CVE-2018-15758 spring-security-oauth: Privilege escalation by manipulating saved authorization request\n1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users\n1667204 - CVE-2018-1320 thrift: SASL negotiation isComplete validation bypass in the org.apache.thrift.transport.TSaslTransport class\n1692345 - CVE-2019-0192 solr: remote code execution due to unsafe deserialization\n1713215 - CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2016-10750\nhttps://access.redhat.com/security/cve/CVE-2018-1258\nhttps://access.redhat.com/security/cve/CVE-2018-1320\nhttps://access.redhat.com/security/cve/CVE-2018-8088\nhttps://access.redhat.com/security/cve/CVE-2018-10899\nhttps://access.redhat.com/security/cve/CVE-2018-15758\nhttps://access.redhat.com/security/cve/CVE-2019-0192\nhttps://access.redhat.com/security/cve/CVE-2019-3805\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.4.0\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/\n\n6. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXUv0xNzjgjWX9erEAQhCzRAAjdpuIeE+WhWxaZpzsfh333p6RXGKoB8g\n4BGVD7yZjSNoPmRzkSuaNUTT0wYZdRLSNeYK1FvxqZlTBesHbe3IV80gDNiV2vad\nVzwNYukUoa6s8hdzKY/zCKwhuZ5cWkk+FLjFAPEfZt2Typ3kyYPnK/RxNnzfeSgc\n90xh60LImUIJK/hGyOL40z8pGFbG404TJbdezYnQt0/l0NBGxPqBGOHnIgpZhAgw\ngNMEglpIrxap4UzwSEzA5tmjRUDHeUBpsUpKsez5XL2ECssqrRyK8Hj/KeacnARF\nMnvf4U/lIOamD6Tles8IAFo/kexW+OxKiHbivOFutraLdEXysgkK8Uf5EQqYKW9+\n7OgEuyMxUi5Pbj4kL666iBp5oV95gEHm2zcQEbn65BFJ3nomb5nReHh5t7G0AqHy\nGYj9dlx84+UG0Fr717Vi586KwtCu6rgdZJS25+0kSCeZk/cowYLW09G+j/+Jk3yg\nN/uUfoxqmC/A+SyupFh1A9XZg7oZhkB+Qwo6D2+BejiwXsD8Jv4uzrI7U7+Lg/YK\nUFa2oqArMKNrF0zf9152lqCEpOL8dCO3X8RcB8LmQcapmr1MYGB+18oNT4o3JcY3\nAa1hoi5+2gGgR7HHuqTsxnDXYPtgqR9CMylc5gmYsMFK5W3sNX8Z/qazoH3fIVtu\nNNAto03aZgE=rpUB\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n", sources: [ { db: "NVD", id: "CVE-2018-1258", }, { db: "JVNDB", id: "JVNDB-2018-005018", }, { db: "BID", id: "104222", }, { db: "VULHUB", id: "VHN-122553", }, { db: "VULMON", id: "CVE-2018-1258", }, { db: "PACKETSTORM", id: "153980", }, ], trust: 2.16, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2018-1258", trust: 3, }, { db: "BID", id: "104222", trust: 2.1, }, { db: "SECTRACK", id: "1041896", trust: 1.8, }, { db: "SECTRACK", id: "1041888", trust: 1.8, }, { db: "JVNDB", id: "JVNDB-2018-005018", trust: 0.8, }, { db: "CNNVD", id: "CNNVD-201805-404", trust: 0.7, }, { db: "PACKETSTORM", id: "153980", trust: 0.7, }, { db: "AUSCERT", id: "ESB-2019.3040", trust: 0.6, }, { db: "VULHUB", id: "VHN-122553", trust: 0.1, }, { db: "VULMON", id: "CVE-2018-1258", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-122553", }, { db: "VULMON", id: "CVE-2018-1258", }, { db: "BID", id: "104222", }, { db: "JVNDB", id: "JVNDB-2018-005018", }, { db: "PACKETSTORM", id: "153980", }, { db: "CNNVD", id: "CNNVD-201805-404", }, { db: "NVD", id: "CVE-2018-1258", }, ], }, id: "VAR-201805-1190", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-122553", }, ], trust: 0.01, }, last_update_date: "2024-11-23T20:02:57.708000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "CVE-2018-1258: Unauthorized Access with Spring Security Method Security", trust: 0.8, url: "https://pivotal.io/security/cve-2018-1258", }, { title: "Pivotal Spring Security and Spring Framework Security vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=80031", }, { title: "Red Hat: Important: Red Hat Fuse 7.4.0 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192413 - Security Advisory", }, { title: "Red Hat: CVE-2018-1258", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-1258", }, { title: "Oracle: Oracle Critical Patch Update Advisory - July 2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=5f8c525f1408011628af1792207b2099", }, { title: "Oracle: Oracle Critical Patch Update Advisory - January 2019", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=f655264a6935505d167bbf45f409a57b", }, { title: "Oracle: Oracle Critical Patch Update Advisory - October 2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=81c63752a6f26433af2128b2e8c02385", }, { title: "nvd_scrapper", trust: 0.1, url: "https://github.com/abhav/nvd_scrapper ", }, { title: "cybsec", trust: 0.1, url: "https://github.com/ilmari666/cybsec ", }, ], sources: [ { db: "VULMON", id: "CVE-2018-1258", }, { db: "JVNDB", id: "JVNDB-2018-005018", }, { db: "CNNVD", id: "CNNVD-201805-404", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-863", trust: 1.1, }, { problemtype: "CWE-285", trust: 0.9, }, ], sources: [ { db: "VULHUB", id: "VHN-122553", }, { db: "JVNDB", id: "JVNDB-2018-005018", }, { db: "NVD", id: "CVE-2018-1258", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 3.1, url: "http://www.securityfocus.com/bid/104222", }, { trust: 2.7, url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { trust: 2.5, url: "https://access.redhat.com/errata/rhsa-2019:2413", }, { trust: 2.4, url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { trust: 2.1, url: "https://pivotal.io/security/cve-2018-1258", }, { trust: 2.1, url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { trust: 2.1, url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { trust: 2.1, url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { trust: 1.8, url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { trust: 1.8, url: "https://security.netapp.com/advisory/ntap-20181018-0002/", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { trust: 1.8, url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { trust: 1.8, url: "http://www.securitytracker.com/id/1041888", }, { trust: 1.8, url: "http://www.securitytracker.com/id/1041896", }, { trust: 0.9, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1258", }, { trust: 0.8, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1258", }, { trust: 0.6, url: "http://pivotal.io/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/153980/red-hat-security-advisory-2019-2413-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2019.3040/", }, { trust: 0.6, url: "https://www.oracle.com/security-alerts/cpujan2020verbose.html", }, { trust: 0.1, url: "https://cwe.mitre.org/data/definitions/863.html", }, { trust: 0.1, url: "https://tools.cisco.com/security/center/viewalert.x?alertid=57883", }, { trust: 0.1, url: "https://nvd.nist.gov", }, { trust: 0.1, url: "https://github.com/abhav/nvd_scrapper", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.fuse&version=7.4.0", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-1320", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-10899", }, { trust: 0.1, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2016-10750", }, { trust: 0.1, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-0192", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-8088", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-10899", }, { trust: 0.1, url: "https://bugzilla.redhat.com/):", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1320", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2016-10750", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-15758", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-8088", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-0192", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-1258", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2019-3805", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-15758", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2019-3805", }, ], sources: [ { db: "VULHUB", id: "VHN-122553", }, { db: "VULMON", id: "CVE-2018-1258", }, { db: "BID", id: "104222", }, { db: "JVNDB", id: "JVNDB-2018-005018", }, { db: "PACKETSTORM", id: "153980", }, { db: "CNNVD", id: "CNNVD-201805-404", }, { db: "NVD", id: "CVE-2018-1258", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-122553", }, { db: "VULMON", id: "CVE-2018-1258", }, { db: "BID", id: "104222", }, { db: "JVNDB", id: "JVNDB-2018-005018", }, { db: "PACKETSTORM", id: "153980", }, { db: "CNNVD", id: "CNNVD-201805-404", }, { db: "NVD", id: "CVE-2018-1258", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2018-05-11T00:00:00", db: "VULHUB", id: "VHN-122553", }, { date: "2018-05-11T00:00:00", db: "VULMON", id: "CVE-2018-1258", }, { date: "2018-05-09T00:00:00", db: "BID", id: "104222", }, { date: "2018-07-04T00:00:00", db: "JVNDB", id: "JVNDB-2018-005018", }, { date: "2019-08-08T14:34:03", db: "PACKETSTORM", id: "153980", }, { date: "2018-05-14T00:00:00", db: "CNNVD", id: "CNNVD-201805-404", }, { date: "2018-05-11T20:29:00.260000", db: "NVD", id: "CVE-2018-1258", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-07-15T00:00:00", db: "VULHUB", id: "VHN-122553", }, { date: "2022-04-11T00:00:00", db: "VULMON", id: "CVE-2018-1258", }, { date: "2019-07-17T09:00:00", db: "BID", id: "104222", }, { date: "2018-07-04T00:00:00", db: "JVNDB", id: "JVNDB-2018-005018", }, { date: "2021-10-21T00:00:00", db: "CNNVD", id: "CNNVD-201805-404", }, { date: "2024-11-21T03:59:28.953000", db: "NVD", id: "CVE-2018-1258", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-201805-404", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Spring Framework Authorization vulnerability", sources: [ { db: "JVNDB", id: "JVNDB-2018-005018", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "authorization issue", sources: [ { db: "CNNVD", id: "CNNVD-201805-404", }, ], trust: 0.6, }, }
var-201804-1676
Vulnerability from variot
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. Spring Framework Contains a security check vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pivotal Spring Framework is prone to remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. Pivotal Spring Framework is an open source Java and Java EE application framework developed by Pivotal Software in the United States. The framework helps developers build high-quality applications. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R8 security and bug fix update Advisory ID: RHSA-2018:2939-01 Product: Red Hat JBoss Fuse Advisory URL: https://access.redhat.com/errata/RHSA-2018:2939 Issue date: 2018-10-17 CVE Names: CVE-2017-12617 CVE-2018-1260 CVE-2018-1270 CVE-2018-1271 CVE-2018-1275 CVE-2018-1304 CVE-2018-1305 CVE-2018-1336 CVE-2018-7489 ==================================================================== 1. Summary:
An update is now available for Red Hat Fuse Integration Services.
Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat Fuse Integration Services provides a set of tools and containerized xPaaS images that enable development, deployment, and management of integration microservices within OpenShift.
Security fix(es):
-
jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries (CVE-2018-7489)
-
spring-framework: Address partial fix for CVE-2018-1270 (CVE-2018-1275)
-
spring-framework: Directory traversal vulnerability with static resources on Windows filesystems (CVE-2018-1271)
-
spring-framework: Possible RCE via spring messaging (CVE-2018-1270)
-
spring-security-oauth: remote code execution in the authorization process (CVE-2018-1260)
-
tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)
-
tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)
-
tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305)
-
tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Updating instructions and release notes may be found at:
https://access.redhat.com/articles/3060411
- Bugs fixed (https://bugzilla.redhat.com/):
1494283 - CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 1548282 - CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users 1548289 - CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources 1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries 1564405 - CVE-2018-1270 spring-framework: Possible RCE via spring messaging 1565307 - CVE-2018-1275 spring-framework: Address partial fix for CVE-2018-1270 1571050 - CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems 1584376 - CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process 1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
- References:
https://access.redhat.com/security/cve/CVE-2017-12617 https://access.redhat.com/security/cve/CVE-2018-1260 https://access.redhat.com/security/cve/CVE-2018-1270 https://access.redhat.com/security/cve/CVE-2018-1271 https://access.redhat.com/security/cve/CVE-2018-1275 https://access.redhat.com/security/cve/CVE-2018-1304 https://access.redhat.com/security/cve/CVE-2018-1305 https://access.redhat.com/security/cve/CVE-2018-1336 https://access.redhat.com/security/cve/CVE-2018-7489 https://access.redhat.com/security/updates/classification/#critical
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBW8eNhdzjgjWX9erEAQgCYw//fxaqJeQ2VPWVSwfYTALj1Lvjrx0bTnip T8MKlgYC4PSKZcOmchvC3f01kNljr1CEJaUQWQi1A+is141gjHgV2nFMSGTUBwBK yGSPLD0oLDJWc/7y7qWMxrotEWjROKIQ72AXwjOtcEeSe9vzSmWotexKR0JYUdgw 8GAMlBhyiQagOncOP3JkWnUkTdNryhY9f5tfX7xfXcDDoxjq4rAVqLrCrWZvr4ec P89vACj8PonE+U5DvFrWWH9nKxGcdvnm0ouib/XFB8GJ/jHhRgBsk/CFpDoEEng5 rzFmbt7fm1OKfgFhRCyrxsVQVUbk0d1ATs+Lpu7Ty3fGysW2bN860Hi+20RSWyow ybjLNU9xSHUG9623XTyyVYgRIox991zpHCHsDWwjsV1NxfjdYlJfHGtuHKNeVQzf h71cHuC7o7VhxZFhMFHjp+O71Ow5N6HcrZAtmKrihfhHRVFugXkvFGRl55gqb4rr Y6/dX/H1abVCNGA5kziXQnO0ce/dAdUZ2mb8XRs3UVgt0MIVD1zisE9d52fsRkr/ NygTi1xn4Pmodoth3C209aA4Iaycixmx4F8HoXSTPNUCYrr0FIjBpDJX35TeTcxg /RU/vyHwdAwz/5aJgFDFxILd4z8a9bIpYGMglMU1rB5y/ovuBB4qUU/o4y8aVYzh bunfRFjDlIY=l0NF -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201804-1676", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "retail point-of-sale", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "goldengate for big data", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.0.1", }, { model: "primavera gateway", scope: "eq", trust: 1, vendor: "oracle", version: "16.2", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.0.4", }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.2", }, { model: "insurance calculation engine", scope: "eq", trust: 1, vendor: "oracle", version: "10.2", }, { model: "retail central office", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "big data discovery", scope: "eq", trust: 1, vendor: "oracle", version: "1.6.0", }, { model: "retail returns management", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "retail open commerce platform", scope: "eq", trust: 1, vendor: "oracle", version: "6.0.0", }, { model: "goldengate for big data", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.1.1", }, { model: "retail order broker", scope: "eq", trust: 1, vendor: "oracle", version: "5.2", }, { model: "application testing suite", scope: "eq", trust: 1, vendor: "oracle", version: "13.1.0.1", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "16.0.2", }, { model: "spring framework", scope: "gte", trust: 1, vendor: "vmware", version: "5.0.0", }, { model: "retail back office", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "retail open commerce platform", scope: "eq", trust: 1, vendor: "oracle", version: "5.3.0", }, { model: "retail predictive application server", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.0.1", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "16.0", }, { model: "retail order broker", scope: "eq", trust: 1, vendor: "oracle", version: "15.0", }, { model: "retail predictive application server", scope: "eq", trust: 1, vendor: "oracle", version: "16.0", }, { model: "tape library acsls", scope: "eq", trust: 1, vendor: "oracle", version: "8.4", }, { model: "retail order broker", scope: "eq", trust: 1, vendor: "oracle", version: "5.1", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "16.0.1", }, { model: "communications performance intelligence center", scope: "lt", trust: 1, vendor: "oracle", version: "10.2.1", }, { model: "primavera gateway", scope: "eq", trust: 1, vendor: "oracle", version: "17.12", }, { model: "spring framework", scope: "lt", trust: 1, vendor: "vmware", version: "5.0.5", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.2", }, { model: "communications diameter signaling router", scope: "lt", trust: 1, vendor: "oracle", version: "8.3", }, { model: "service architecture leveraging tuxedo", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.2.0.0", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "11.1", }, { model: "application testing suite", scope: "eq", trust: 1, vendor: "oracle", version: "13.2.0.1", }, { model: "retail point-of-sale", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "insurance calculation engine", scope: "eq", trust: 1, vendor: "oracle", version: "10.2.1", }, { model: "fuse", scope: "eq", trust: 1, vendor: "redhat", version: "1.0.0", }, { model: "service architecture leveraging tuxedo", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.3.0.0", }, { model: "healthcare master person index", scope: "eq", trust: 1, vendor: "oracle", version: "3.0", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.0.2", }, { model: "retail central office", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "retail customer insights", scope: "eq", trust: 1, vendor: "oracle", version: "15.0", }, { model: "spring framework", scope: "lt", trust: 1, vendor: "vmware", version: "4.3.16", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.0.3", }, { model: "retail returns management", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "goldengate for big data", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.2.1", }, { model: "insurance calculation engine", scope: "eq", trust: 1, vendor: "oracle", version: "10.1.1", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "10.1", }, { model: "application testing suite", scope: "eq", trust: 1, vendor: "oracle", version: "13.3.0.1", }, { model: "retail order broker", scope: "eq", trust: 1, vendor: "oracle", version: "16.0", }, { model: "communications services gatekeeper", scope: "lt", trust: 1, vendor: "oracle", version: "6.1.0.4.0", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "11.0", }, { model: "retail back office", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.1", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "15.0.2", }, { model: "communications converged application server", scope: "lt", trust: 1, vendor: "oracle", version: "7.0.0.1", }, { model: "retail predictive application server", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "10.0", }, { model: "healthcare master person index", scope: "eq", trust: 1, vendor: "oracle", version: "4.0", }, { model: "retail xstore point of service", scope: "eq", trust: 1, vendor: "oracle", version: "7.1", }, { model: "enterprise manager ops center", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.3", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "15.0.0.1", }, { model: "application testing suite", scope: "eq", trust: 1, vendor: "oracle", version: "12.5.0.3", }, { model: "health sciences information manager", scope: "eq", trust: 1, vendor: "oracle", version: "3.0", }, { model: "primavera gateway", scope: "eq", trust: 1, vendor: "oracle", version: "15.2", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.3", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "15.0.1", }, { model: "retail open commerce platform", scope: "eq", trust: 1, vendor: "oracle", version: "6.0.1", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "10.2", }, { model: "retail predictive application server", scope: "eq", trust: 1, vendor: "oracle", version: "15.0", }, { model: "linux", scope: "eq", trust: 1, vendor: "debian", version: "9.0", }, { model: "retail customer insights", scope: "eq", trust: 1, vendor: "oracle", version: "16.0", }, { model: "spring framework", scope: "eq", trust: 0.9, vendor: "pivotal", version: "5.0.4", }, { model: "spring framework", scope: "eq", trust: 0.9, vendor: "pivotal", version: "5.0.3", }, { model: "spring framework", scope: "eq", trust: 0.9, vendor: "pivotal", version: "5.0.2", }, { model: "spring framework", scope: "eq", trust: 0.9, vendor: "pivotal", version: "5.0.1", }, { model: "spring framework", scope: "lt", trust: 0.8, vendor: "pivotal", version: "4.3", }, { model: "spring framework", scope: "eq", trust: 0.8, vendor: "pivotal", version: "4.3.15", }, { model: "spring framework", scope: "lt", trust: 0.8, vendor: "pivotal", version: "5.0", }, { model: "spring framework", scope: "eq", trust: 0.8, vendor: "pivotal", version: "5.0.5", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.3", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.1", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.4", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.0", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.3.2", }, { model: "spring framework", scope: "eq", trust: 0.6, vendor: "pivotal", version: "4.2.9", }, { model: "spring framework", scope: "eq", trust: 0.3, vendor: "pivotal", version: "5.0", }, { model: "spring framework", scope: "eq", trust: 0.3, vendor: "pivotal", version: "4.3.14", }, { model: "spring framework", scope: "eq", trust: 0.3, vendor: "pivotal", version: "4.3", }, { model: "spring framework", scope: "ne", trust: 0.3, vendor: "pivotal", version: "5.0.5", }, { model: "spring framework", scope: "ne", trust: 0.3, vendor: "pivotal", version: "4.3.15", }, ], sources: [ { db: "BID", id: "103696", }, { db: "JVNDB", id: "JVNDB-2018-003097", }, { db: "CNNVD", id: "CNNVD-201804-245", }, { db: "NVD", id: "CVE-2018-1270", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/a:pivotal_software:spring_framework", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2018-003097", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Alvaro Munoz (@pwntester) Micro Focus Fortify.", sources: [ { db: "BID", id: "103696", }, ], trust: 0.3, }, cve: "CVE-2018-1270", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2018-1270", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 1.9, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "VHN-122685", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:P/I:P/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2018-1270", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 9.8, baseSeverity: "Critical", confidentialityImpact: "High", exploitabilityScore: null, id: "CVE-2018-1270", impactScore: null, integrityImpact: "High", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2018-1270", trust: 1, value: "CRITICAL", }, { author: "NVD", id: "CVE-2018-1270", trust: 0.8, value: "Critical", }, { author: "CNNVD", id: "CNNVD-201804-245", trust: 0.6, value: "CRITICAL", }, { author: "VULHUB", id: "VHN-122685", trust: 0.1, value: "HIGH", }, { author: "VULMON", id: "CVE-2018-1270", trust: 0.1, value: "HIGH", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-122685", }, { db: "VULMON", id: "CVE-2018-1270", }, { db: "JVNDB", id: "JVNDB-2018-003097", }, { db: "CNNVD", id: "CNNVD-201804-245", }, { db: "NVD", id: "CVE-2018-1270", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. Spring Framework Contains a security check vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Pivotal Spring Framework is prone to remote code-execution vulnerability. \nSuccessfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. Pivotal Spring Framework is an open source Java and Java EE application framework developed by Pivotal Software in the United States. The framework helps developers build high-quality applications. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R8 security and bug fix update\nAdvisory ID: RHSA-2018:2939-01\nProduct: Red Hat JBoss Fuse\nAdvisory URL: https://access.redhat.com/errata/RHSA-2018:2939\nIssue date: 2018-10-17\nCVE Names: CVE-2017-12617 CVE-2018-1260 CVE-2018-1270\n CVE-2018-1271 CVE-2018-1275 CVE-2018-1304\n CVE-2018-1305 CVE-2018-1336 CVE-2018-7489\n====================================================================\n1. Summary:\n\nAn update is now available for Red Hat Fuse Integration Services. \n\nRed Hat Product Security has rated this update as having a security impact\nof Critical. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat Fuse Integration Services provides a set of tools and containerized\nxPaaS images that enable development, deployment, and management of\nintegration microservices within OpenShift. \n\nSecurity fix(es):\n\n* jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe\nserialization via c3p0 libraries (CVE-2018-7489)\n\n* spring-framework: Address partial fix for CVE-2018-1270 (CVE-2018-1275)\n\n* spring-framework: Directory traversal vulnerability with static resources\non Windows filesystems (CVE-2018-1271)\n\n* spring-framework: Possible RCE via spring messaging (CVE-2018-1270)\n\n* spring-security-oauth: remote code execution in the authorization process\n(CVE-2018-1260)\n\n* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)\n\n* tomcat: Incorrect handling of empty string URL in security constraints\ncan lead to unintended exposure of resources (CVE-2018-1304)\n\n* tomcat: Late application of security constraints can lead to resource\nexposure for unauthorised users (CVE-2018-1305)\n\n* tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\n3. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nUpdating instructions and release notes may be found at:\n\nhttps://access.redhat.com/articles/3060411\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1494283 - CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615\n1548282 - CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users\n1548289 - CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources\n1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries\n1564405 - CVE-2018-1270 spring-framework: Possible RCE via spring messaging\n1565307 - CVE-2018-1275 spring-framework: Address partial fix for CVE-2018-1270\n1571050 - CVE-2018-1271 spring-framework: Directory traversal vulnerability with static resources on Windows filesystems\n1584376 - CVE-2018-1260 spring-security-oauth: remote code execution in the authorization process\n1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2017-12617\nhttps://access.redhat.com/security/cve/CVE-2018-1260\nhttps://access.redhat.com/security/cve/CVE-2018-1270\nhttps://access.redhat.com/security/cve/CVE-2018-1271\nhttps://access.redhat.com/security/cve/CVE-2018-1275\nhttps://access.redhat.com/security/cve/CVE-2018-1304\nhttps://access.redhat.com/security/cve/CVE-2018-1305\nhttps://access.redhat.com/security/cve/CVE-2018-1336\nhttps://access.redhat.com/security/cve/CVE-2018-7489\nhttps://access.redhat.com/security/updates/classification/#critical\n\n6. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2018 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBW8eNhdzjgjWX9erEAQgCYw//fxaqJeQ2VPWVSwfYTALj1Lvjrx0bTnip\nT8MKlgYC4PSKZcOmchvC3f01kNljr1CEJaUQWQi1A+is141gjHgV2nFMSGTUBwBK\nyGSPLD0oLDJWc/7y7qWMxrotEWjROKIQ72AXwjOtcEeSe9vzSmWotexKR0JYUdgw\n8GAMlBhyiQagOncOP3JkWnUkTdNryhY9f5tfX7xfXcDDoxjq4rAVqLrCrWZvr4ec\nP89vACj8PonE+U5DvFrWWH9nKxGcdvnm0ouib/XFB8GJ/jHhRgBsk/CFpDoEEng5\nrzFmbt7fm1OKfgFhRCyrxsVQVUbk0d1ATs+Lpu7Ty3fGysW2bN860Hi+20RSWyow\nybjLNU9xSHUG9623XTyyVYgRIox991zpHCHsDWwjsV1NxfjdYlJfHGtuHKNeVQzf\nh71cHuC7o7VhxZFhMFHjp+O71Ow5N6HcrZAtmKrihfhHRVFugXkvFGRl55gqb4rr\nY6/dX/H1abVCNGA5kziXQnO0ce/dAdUZ2mb8XRs3UVgt0MIVD1zisE9d52fsRkr/\nNygTi1xn4Pmodoth3C209aA4Iaycixmx4F8HoXSTPNUCYrr0FIjBpDJX35TeTcxg\n/RU/vyHwdAwz/5aJgFDFxILd4z8a9bIpYGMglMU1rB5y/ovuBB4qUU/o4y8aVYzh\nbunfRFjDlIY=l0NF\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n", sources: [ { db: "NVD", id: "CVE-2018-1270", }, { db: "JVNDB", id: "JVNDB-2018-003097", }, { db: "BID", id: "103696", }, { db: "VULHUB", id: "VHN-122685", }, { db: "VULMON", id: "CVE-2018-1270", }, { db: "PACKETSTORM", id: "149847", }, ], trust: 2.16, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2018-1270", trust: 3, }, { db: "BID", id: "103696", trust: 2, }, { db: "EXPLOIT-DB", id: "44796", trust: 1.7, }, { db: "JVNDB", id: "JVNDB-2018-003097", trust: 0.8, }, { db: "AUSCERT", id: "ESB-2019.0544", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.1395", trust: 0.6, }, { db: "CNNVD", id: "CNNVD-201804-245", trust: 0.6, }, { db: "PACKETSTORM", id: "147974", trust: 0.1, }, { db: "SEEBUG", id: "SSVID-97214", trust: 0.1, }, { db: "VULHUB", id: "VHN-122685", trust: 0.1, }, { db: "VULMON", id: "CVE-2018-1270", trust: 0.1, }, { db: "PACKETSTORM", id: "149847", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-122685", }, { db: "VULMON", id: "CVE-2018-1270", }, { db: "BID", id: "103696", }, { db: "JVNDB", id: "JVNDB-2018-003097", }, { db: "PACKETSTORM", id: "149847", }, { db: "CNNVD", id: "CNNVD-201804-245", }, { db: "NVD", id: "CVE-2018-1270", }, ], }, id: "VAR-201804-1676", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-122685", }, ], trust: 0.01, }, last_update_date: "2024-11-23T21:30:55.535000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "CVE-2018-1270: Remote Code Execution with spring-messaging", trust: 0.8, url: "https://pivotal.io/security/cve-2018-1270", }, { title: "Pivotal Spring Framework Security vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83088", }, { title: "Red Hat: Critical: Red Hat FIS 2.0 on Fuse 6.3.0 R8 security and bug fix update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20182939 - Security Advisory", }, { title: "Debian CVElist Bug Report Logs: libspring-java: CVE-2018-1270 CVE-2018-1272", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=cf592ea3b0a1913a29c923afe44cd4b7", }, { title: "Red Hat: CVE-2018-1270", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-1270", }, { title: "Oracle: Oracle Critical Patch Update Advisory - July 2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=5f8c525f1408011628af1792207b2099", }, { title: "Oracle: Oracle Critical Patch Update Advisory - January 2019", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=f655264a6935505d167bbf45f409a57b", }, { title: "Oracle: Oracle Critical Patch Update Advisory - October 2018", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=81c63752a6f26433af2128b2e8c02385", }, { title: "IBM: Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=3dea47d76eee003a50f853f241578c37", }, { title: "IBM: IBM Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=55ea315dfb69fce8383762ac64250315", }, { title: "CVE-2018-1270", trust: 0.1, url: "https://github.com/Venscor/CVE-2018-1270 ", }, ], sources: [ { db: "VULMON", id: "CVE-2018-1270", }, { db: "JVNDB", id: "JVNDB-2018-003097", }, { db: "CNNVD", id: "CNNVD-201804-245", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-358", trust: 1.9, }, { problemtype: "CWE-94", trust: 1, }, ], sources: [ { db: "VULHUB", id: "VHN-122685", }, { db: "JVNDB", id: "JVNDB-2018-003097", }, { db: "NVD", id: "CVE-2018-1270", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2.3, url: "http://www.securityfocus.com/bid/103696", }, { trust: 2, url: "https://pivotal.io/security/cve-2018-1270", }, { trust: 1.8, url: "https://access.redhat.com/errata/rhsa-2018:2939", }, { trust: 1.7, url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { trust: 1.7, url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { trust: 1.7, url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { trust: 1.7, url: "https://www.exploit-db.com/exploits/44796/", }, { trust: 1.7, url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { trust: 1.7, url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { trust: 1.7, url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { trust: 1.7, url: "https://lists.debian.org/debian-lts-announce/2021/04/msg00022.html", }, { trust: 1, url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3cissues.geode.apache.org%3e", }, { trust: 0.9, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1270", }, { trust: 0.8, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1270", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/4ed49b103f64a0cecb38064f26cbf1389afc12124653da2d35166dbe@%3cissues.activemq.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/ab825fcade0b49becfa30235b3d54f4a51bb74ea96b6c9adb5d1378c@%3cissues.activemq.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/dcf8599b80e43a6b60482607adb76c64672772dc2d9209ae2170f369@%3cissues.activemq.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3cissues.activemq.apache.org%3e", }, { trust: 0.7, url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3cissues.geode.apache.org%3e", }, { trust: 0.6, url: "http://www.ibm.com/support/docview.wss?uid=ibm10872142", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/75922", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.1395", }, { trust: 0.6, url: "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-guardium-data-encryption-gde-3/", }, { trust: 0.6, url: "https://www-01.ibm.com/support/docview.wss?uid=ibm10872142", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2018-1270", }, { trust: 0.3, url: "http://pivotal.io/", }, { trust: 0.3, url: "https://bugzilla.redhat.com/show_bug.cgi?id=1564405", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1271", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-12617", }, { trust: 0.1, url: "https://access.redhat.com/security/updates/classification/#critical", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-1260", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-12617", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1260", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-1336", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-7489", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-1305", }, { trust: 0.1, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.1, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-7489", }, { trust: 0.1, url: "https://bugzilla.redhat.com/):", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1336", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-1304", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-1271", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1304", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-1275", }, { trust: 0.1, url: "https://access.redhat.com/articles/3060411", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1275", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-1305", }, ], sources: [ { db: "VULHUB", id: "VHN-122685", }, { db: "BID", id: "103696", }, { db: "JVNDB", id: "JVNDB-2018-003097", }, { db: "PACKETSTORM", id: "149847", }, { db: "CNNVD", id: "CNNVD-201804-245", }, { db: "NVD", id: "CVE-2018-1270", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-122685", }, { db: "VULMON", id: "CVE-2018-1270", }, { db: "BID", id: "103696", }, { db: "JVNDB", id: "JVNDB-2018-003097", }, { db: "PACKETSTORM", id: "149847", }, { db: "CNNVD", id: "CNNVD-201804-245", }, { db: "NVD", id: "CVE-2018-1270", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2018-04-06T00:00:00", db: "VULHUB", id: "VHN-122685", }, { date: "2018-04-06T00:00:00", db: "VULMON", id: "CVE-2018-1270", }, { date: "2018-04-05T00:00:00", db: "BID", id: "103696", }, { date: "2018-05-14T00:00:00", db: "JVNDB", id: "JVNDB-2018-003097", }, { date: "2018-10-18T03:51:21", db: "PACKETSTORM", id: "149847", }, { date: "2018-04-06T00:00:00", db: "CNNVD", id: "CNNVD-201804-245", }, { date: "2018-04-06T13:29:00.453000", db: "NVD", id: "CVE-2018-1270", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-08-31T00:00:00", db: "VULHUB", id: "VHN-122685", }, { date: "2023-11-07T00:00:00", db: "VULMON", id: "CVE-2018-1270", }, { date: "2018-04-05T00:00:00", db: "BID", id: "103696", }, { date: "2018-05-14T00:00:00", db: "JVNDB", id: "JVNDB-2018-003097", }, { date: "2021-10-21T00:00:00", db: "CNNVD", id: "CNNVD-201804-245", }, { date: "2024-11-21T03:59:30.477000", db: "NVD", id: "CVE-2018-1270", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-201804-245", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Spring Framework Vulnerabilities related to security checks", sources: [ { db: "JVNDB", id: "JVNDB-2018-003097", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "code injection", sources: [ { db: "CNNVD", id: "CNNVD-201804-245", }, ], trust: 0.6, }, }
var-202005-0022
Vulnerability from variot
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. Undertow To HTTP There is a vulnerability related to Request Smagling.Information may be obtained and tampered with. Red Hat Undertow is a Java-based embedded Web server of American Red Hat (Red Hat) Company and the default Web server of Wildfly (Java Application Server).
Red Hat Undertow 2.1.1.Final version has an environmental problem vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.1 Security update Advisory ID: RHSA-2020:2512-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2512 Issue date: 2020-06-10 CVE Names: CVE-2018-14371 CVE-2019-0205 CVE-2019-0210 CVE-2019-10172 CVE-2019-12423 CVE-2019-14887 CVE-2019-17573 CVE-2020-1695 CVE-2020-1729 CVE-2020-1745 CVE-2020-1757 CVE-2020-6950 CVE-2020-7226 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10688 CVE-2020-10719 ==================================================================== 1.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.0, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
cxf: reflected XSS in the services listing page (CVE-2019-17573)
-
cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)
-
jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)
-
undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757)
-
jackson-databind: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)
-
jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)
-
resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695)
-
cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)
-
smallrye-config: SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729)
-
resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)
-
jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)
-
undertow: invalid HTTP request with large chunk size (CVE-2020-10719)
-
jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)
-
jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)
-
jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)
-
undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)
-
libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)
-
libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
-
wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)
-
jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
-
jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.
- Solution:
Before applying this update, ensure all previously released errata relevant to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter 1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId 1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page 1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation 1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-16114 - (7.3.z) Upgrade jboss-vfs to 3.2.15.Final JBEAP-18060 - GSS Upgrade weld from 3.1.2.Final-redhat-00001 to 3.1.4.Final-redhat-00001 JBEAP-18163 - (7.3.z) Upgrade HAL from 3.2.3.Final-redhat-00001 to 3.2.8.Final-redhat-00001 JBEAP-18221 - (7.3.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00010 to 2.5.5.SP12-redhat-00012 JBEAP-18240 - (7.3.z) Update the Chinese translations in WildFly Core JBEAP-18241 - (7.3.z) Update the Japanese translations in WildFly Core JBEAP-18273 - (7.3.z) Upgrade IronJacamar from 1.4.19.Final to 1.4.20.Final JBEAP-18277 - GSS Upgrade JBoss JSF API from 3.0.0.SP01-redhat-00001 to 3.0.0.SP02-redhat-00001 JBEAP-18288 - GSS Upgrade FasterXML from 2.10.0 to 2.10.3 JBEAP-18294 - (7.3.z) Upgrade JAXB from 2.3.1 to 2.3.3-b02 and com.sun.istack from 3.0.7 to 3.0.10 JBEAP-18302 - GSS Upgrade wildfly-http-client from 1.0.18 to 1.0.20 JBEAP-18315 - GSS Upgrade Artemis from 2.9.0.redhat-00005 to 2.9.0.redhat-00010 JBEAP-18346 - GSS Upgrade jakarta.el from 3.0.2.redhat-00001 to 3.0.3.redhat-00002 JBEAP-18352 - GSS Upgrade JBoss Remoting from 5.0.16.Final-redhat-00001 to 5.0.18.Final-redhat-00001 JBEAP-18361 - GSS Upgrade Woodstox from 5.0.3 to 6.0.3 JBEAP-18367 - GSS Upgrade Hibernate ORM from 5.3.15 to 5.3.16 JBEAP-18393 - GSS Update $JBOSS_HOME/docs/schema to show https schema URL instead of http JBEAP-18398 - Tracker bug for the EAP 7.3.1 release for RHEL-7 JBEAP-18409 - GSS Upgrade Infinispan from 9.4.16.Final-redhat-00002 to 9.4.18.Final-redhat-00001 JBEAP-18527 - (7.3.z) Upgrade WildFly Naming Client from 1.0.10.Final to 1.0.12.Final JBEAP-18528 - (7.3.z) Upgrade jboss-ejb-client from 4.0.27.Final to 4.0.31.Final-redhat-00001 JBEAP-18596 - GSS Upgrade JBoss Modules from 1.9.1 to 1.10.0 JBEAP-18598 - GSS Upgrade Bouncycastle from 1.60.0-redhat-00001 to 1.60.0-redhat-00002 JBEAP-18640 - [Runtimes] (7.3.x) Upgrade slf4j-jboss-logmanager from 1.0.3.GA.redhat-2 to 1.0.4.GA.redhat-00001 JBEAP-18653 - (7.3.z) Upgrade Apache CXF from 3.3.4.redhat-00001 to 3.3.5.redhat-00001 JBEAP-18706 - (7.3.z) Upgrade elytron-web from 1.6.0.Final to 1.6.1.Final JBEAP-18770 - Upgrade Jandex to 2.1.2.Final-redhat-00001 JBEAP-18775 - (7.3.z) Upgrade WildFly Core to 10.1.4.Final-redhat-00001 JBEAP-18788 - (7.3.x) Upgrade wss4j from 2.2.4.redhat-00001 to 2.2.5.redhat-00001 JBEAP-18790 - (7.3.z) Upgrade cryptacular from 1.2.0.redhat-1 to 1.2.4.redhat-00001 JBEAP-18818 - (7.3.z) Upgrade PicketBox from 5.0.3.Final-redhat-00005 to 5.0.3.Final-redhat-00006 JBEAP-18836 - GSS Upgrade Remoting JMX from 3.0.3 to 3.0.4 JBEAP-18850 - (7.3.z) Upgrade smallrye-config from 1.4.1 to 1.6.2 JBEAP-18870 - Upgrade WildFly Common to 1.5.2.Final.redhat-00002 JBEAP-18875 - Upgrade MicroProfile Metrics API to 2.3 and smallrye-metrics to 2.4.0 JBEAP-18876 - Upgrade Smallrye Health to 2.2.0 and MP Health API to 2.2 JBEAP-18877 - (7.3.z) Upgrade Jaeger client to 0.34.3 JBEAP-18878 - Upgrade Smallrye Opentracing to 1.3.4 and MP Opentracing to 1.3.3 JBEAP-18879 - (7.3.z) Upgrade MicroProfile Config 1.4 JBEAP-18929 - (7.3.z) Upgrade WildFly Elytron from 1.10.5.Final-redhat-00001 to 1.10.6.Final JBEAP-18990 - (7.3.z) Upgrade jasypt from 1.9.2 to 1.9.3-redhat-00001 JBEAP-18991 - (7.3.z) Upgrade opensaml from 3.3.0.redhat-1 to 3.3.1-redhat-00002 JBEAP-19035 - In Building Custom Layers, update pom.xml content for 7.3.1 JBEAP-19054 - Upgrade MP REST Client to 1.4.0.redhat-00004 JBEAP-19066 - Upgrade snakeyaml from 1.18.0.redhat-2 to 1.24.0.redhat-00001 JBEAP-19117 - GSS Upgrade org.jboss.genericjms from 2.0.2.Final-redhat-00001 to 2.0.4.Final-redhat-00001 JBEAP-19133 - GSS Upgrade JSF based on Mojarra 2.3.9.SP08-redhat-00001 to 2.3.9.SP09-redhat-00001 JBEAP-19156 - (7.3.z) Upgrade RESTEasy from 3.11.1.Final.redhat-00001 to 3.11.2.Final.redhat-00001 JBEAP-19181 - (7.3.z) Upgrade WildFly Core to 10.1.5.Final-redhat-00001 JBEAP-19192 - (7.3.z) Update the Japanese translations JBEAP-19232 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.7.Final-redhat-00001 JBEAP-19281 - (7.3.z) Upgrade undertow from 2.0.30.SP2-redhat-00001 to 2.0.30.SP3-redhat-00001 JBEAP-19456 - Upgrade wildfly-transaction-client to 1.1.11.Final
-
Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
-
References:
https://access.redhat.com/security/cve/CVE-2018-14371 https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10172 https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1729 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-7226 https://access.redhat.com/security/cve/CVE-2020-8840 https://access.redhat.com/security/cve/CVE-2020-9546 https://access.redhat.com/security/cve/CVE-2020-9547 https://access.redhat.com/security/cve/CVE-2020-9548 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXuHcw9zjgjWX9erEAQh0/w//WCP+lyWNO4PYWG/1MPkiCmf9kc3lABZ/ zn5l0eEXpeV248b6iJ+xq4vgT3+7akvE4u0XOd0yV+dxoLXHGeNoNa5RDeRGFtEJ MbFhSdoOMYJDB14vBcZ6Zwc3lGQX8CrBjACI8mrGOpJIniP4H5dBB+Kb8QhXue82 FhdEppkBiTzMe0t1yWP6pIRgmtLcBGrPG8a5v1R/c8n/1ADIJiXaS8xQGI1x+z17 dJIwoQoF1QacJkDq5AqFHdN8cUqsiqsKNKDbm3B5JR6JEwlMSVGtlrMlxsXX2N9F QMB5LuOOUUfSsm2V1C1PCQ3bBPaXFNJk6upZjeRDQtyP0CxQHASrCgT+kkZAof6F SvflzocaHI/umyATKJkJua3WffJm1YXTGMQSGGgkvUdTxKz6RqAWGN5hOU+oced+ sCYp6gieKvwR4a+ubDfXLoyQ01g1/+f+g5EabKJkVKvsEEFxHPzL4w7cWA6ESG88 DnJ+fgf1tycBJD7Lw7IsmN1ckGWHtY+NzOV6btr+4UC4+qeC9D7b9n7UxSK2gGCE zAMEW88O3RYVB6QofV3Ysx/SHbQrdSfuVVGhzgSDHmYTLRjr31xXaQvFP4QAJS9a bD/W2ZVeN3/nSPduC18i1ZYzDmeP3+A+KS2S4/VWjMs5NSMNlF03RX2KDvegbi9J ULGZnlcYAXQ\xcfE3 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description:
Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/):
1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution 1790759 - CVE-2020-1694 keycloak: verify-token-audience support is missing in the NodeJS adapter 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size 1836786 - CVE-2020-10748 keycloak: top-level navigations to data URLs resulting in XSS are possible (incomplete fix of CVE-2020-1697) 1850004 - CVE-2020-11023 jQuery: passing HTML containing elements to manipulation methods could result in untrusted code execution
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-202005-0022", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "jboss enterprise application platform", scope: "eq", trust: 1, vendor: "redhat", version: "7.3", }, { model: "jboss enterprise application platform", scope: "eq", trust: 1, vendor: "redhat", version: null, }, { model: "jboss enterprise application platform", scope: "eq", trust: 1, vendor: "redhat", version: "7.4", }, { model: "single sign-on", scope: "eq", trust: 1, vendor: "redhat", version: null, }, { model: "jboss enterprise application platform", scope: "eq", trust: 1, vendor: "redhat", version: "7.2", }, { model: "active iq unified manager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "undertow", scope: "lt", trust: 1, vendor: "redhat", version: "2.1.1", }, { model: "fuse", scope: "eq", trust: 1, vendor: "redhat", version: "1.0", }, { model: "oncommand insight", scope: "lt", trust: 1, vendor: "netapp", version: "7.3.13", }, { model: "openshift application runtimes", scope: "eq", trust: 1, vendor: "redhat", version: null, }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "undertow", scope: "eq", trust: 0.8, vendor: "red hat", version: "2.1.1", }, { model: "hat undertow <2.1.1.final", scope: null, trust: 0.6, vendor: "red", version: null, }, ], sources: [ { db: "CNVD", id: "CNVD-2020-35679", }, { db: "JVNDB", id: "JVNDB-2020-005881", }, { db: "NVD", id: "CVE-2020-10719", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/a:redhat:undertow", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-005881", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "157641", }, { db: "PACKETSTORM", id: "158048", }, { db: "PACKETSTORM", id: "157640", }, { db: "PACKETSTORM", id: "158282", }, { db: "PACKETSTORM", id: "157638", }, { db: "PACKETSTORM", id: "158038", }, { db: "CNNVD", id: "CNNVD-202005-237", }, ], trust: 1.2, }, cve: "CVE-2020-10719", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2020-10719", impactScore: 4.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 1, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, { acInsufInfo: null, accessComplexity: "Low", accessVector: "Network", authentication: "None", author: "NVD", availabilityImpact: "None", baseScore: 6.4, confidentialityImpact: "Partial", exploitabilityScore: null, id: "JVNDB-2020-005881", impactScore: null, integrityImpact: "Partial", obtainAllPrivilege: null, obtainOtherPrivilege: null, obtainUserPrivilege: null, severity: "Medium", trust: 0.8, userInteractionRequired: null, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "CNVD", availabilityImpact: "NONE", baseScore: 6.4, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CNVD-2020-35679", impactScore: 4.9, integrityImpact: "PARTIAL", severity: "MEDIUM", trust: 0.6, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:N", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", exploitabilityScore: 3.9, id: "CVE-2020-10719", impactScore: 2.5, integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 2, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "None", baseScore: 6.5, baseSeverity: "Medium", confidentialityImpact: "Low", exploitabilityScore: null, id: "JVNDB-2020-005881", impactScore: null, integrityImpact: "Low", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2020-10719", trust: 1, value: "MEDIUM", }, { author: "secalert@redhat.com", id: "CVE-2020-10719", trust: 1, value: "MEDIUM", }, { author: "NVD", id: "JVNDB-2020-005881", trust: 0.8, value: "Medium", }, { author: "CNVD", id: "CNVD-2020-35679", trust: 0.6, value: "MEDIUM", }, { author: "CNNVD", id: "CNNVD-202005-237", trust: 0.6, value: "MEDIUM", }, ], }, ], sources: [ { db: "CNVD", id: "CNVD-2020-35679", }, { db: "JVNDB", id: "JVNDB-2020-005881", }, { db: "CNNVD", id: "CNNVD-202005-237", }, { db: "NVD", id: "CVE-2020-10719", }, { db: "NVD", id: "CVE-2020-10719", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. Undertow To HTTP There is a vulnerability related to Request Smagling.Information may be obtained and tampered with. Red Hat Undertow is a Java-based embedded Web server of American Red Hat (Red Hat) Company and the default Web server of Wildfly (Java Application Server). \n\r\n\r\nRed Hat Undertow 2.1.1.Final version has an environmental problem vulnerability. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.1 Security update\nAdvisory ID: RHSA-2020:2512-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:2512\nIssue date: 2020-06-10\nCVE Names: CVE-2018-14371 CVE-2019-0205 CVE-2019-0210\n CVE-2019-10172 CVE-2019-12423 CVE-2019-14887\n CVE-2019-17573 CVE-2020-1695 CVE-2020-1729\n CVE-2020-1745 CVE-2020-1757 CVE-2020-6950\n CVE-2020-7226 CVE-2020-8840 CVE-2020-9546\n CVE-2020-9547 CVE-2020-9548 CVE-2020-10688\n CVE-2020-10719\n====================================================================\n1. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.1 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.3.0,\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.3.1 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* cxf: reflected XSS in the services listing page (CVE-2019-17573)\n\n* cxf-core: cxf: OpenId Connect token service does not properly validate\nthe clientId (CVE-2019-12423)\n\n* jackson-mapper-asl: XML external entity similar to CVE-2016-3720\n(CVE-2019-10172)\n\n* undertow: servletPath in normalized incorrectly leading to dangerous\napplication mapping which could result in security bypass (CVE-2020-1757)\n\n* jackson-databind: XML external entity similar to CVE-2016-3720\n(CVE-2019-10172)\n\n* jackson-mapper-asl: XML external entity similar to CVE-2016-3720\n(CVE-2019-10172)\n\n* resteasy-jaxrs: resteasy: Improper validation of response header in\nMediaTypeHeaderDelegate.java class (CVE-2020-1695)\n\n* cryptacular: excessive memory allocation during a decode operation\n(CVE-2020-7226)\n\n* smallrye-config: SmallRye: SecuritySupport class is incorrectly public\nand contains a static method to access the current threads context class\nloader (CVE-2020-1729)\n\n* resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected\nXSS attack (CVE-2020-10688)\n\n* jackson-databind: Lacks certain xbean-reflect/JNDI blocking\n(CVE-2020-8840)\n\n* undertow: invalid HTTP request with large chunk size (CVE-2020-10719)\n\n* jackson-databind: Serialization gadgets in shaded-hikari-config\n(CVE-2020-9546)\n\n* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)\n\n* jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)\n\n* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)\n\n* libthrift: thrift: Endless loop when feed with specific input data\n(CVE-2019-0205)\n\n* libthrift: thrift: Out-of-bounds read related to TJSONProtocol or\nTSimpleJSONProtocol (CVE-2019-0210)\n\n* wildfly: The 'enabled-protocols' value in legacy security is not\nrespected if OpenSSL security provider is in use (CVE-2019-14887)\n\n* jsf-impl: Mojarra: Path traversal via either the loc parameter or the con\nparameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)\n\n* jsf-impl: mojarra: Path traversal in\nResourceManager.java:getLocalePrefix() via the loc parameter\n(CVE-2018-14371)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, see the CVE page(s) listed in the\nReferences section. \n\n4. Solution:\n\nBefore applying this update, ensure all previously released errata relevant\nto your system have been applied. \n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter\n1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720\n1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class\n1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass\n1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol\n1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data\n1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use\n1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId\n1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page\n1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation\n1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader\n1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371\n1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability\n1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack\n1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking\n1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config\n1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap\n1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core\n1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-16114 - (7.3.z) Upgrade jboss-vfs to 3.2.15.Final\nJBEAP-18060 - [GSS](7.3.z) Upgrade weld from 3.1.2.Final-redhat-00001 to 3.1.4.Final-redhat-00001\nJBEAP-18163 - (7.3.z) Upgrade HAL from 3.2.3.Final-redhat-00001 to 3.2.8.Final-redhat-00001\nJBEAP-18221 - (7.3.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00010 to 2.5.5.SP12-redhat-00012\nJBEAP-18240 - (7.3.z) Update the Chinese translations in WildFly Core\nJBEAP-18241 - (7.3.z) Update the Japanese translations in WildFly Core\nJBEAP-18273 - (7.3.z) Upgrade IronJacamar from 1.4.19.Final to 1.4.20.Final\nJBEAP-18277 - [GSS](7.3.z) Upgrade JBoss JSF API from 3.0.0.SP01-redhat-00001 to 3.0.0.SP02-redhat-00001\nJBEAP-18288 - [GSS](7.3.z) Upgrade FasterXML from 2.10.0 to 2.10.3\nJBEAP-18294 - (7.3.z) Upgrade JAXB from 2.3.1 to 2.3.3-b02 and com.sun.istack from 3.0.7 to 3.0.10\nJBEAP-18302 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.18 to 1.0.20\nJBEAP-18315 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00005 to 2.9.0.redhat-00010\nJBEAP-18346 - [GSS](7.3.z) Upgrade jakarta.el from 3.0.2.redhat-00001 to 3.0.3.redhat-00002\nJBEAP-18352 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.16.Final-redhat-00001 to 5.0.18.Final-redhat-00001\nJBEAP-18361 - [GSS](7.3.z) Upgrade Woodstox from 5.0.3 to 6.0.3\nJBEAP-18367 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.15 to 5.3.16\nJBEAP-18393 - [GSS](7.3.z) Update $JBOSS_HOME/docs/schema to show https schema URL instead of http\nJBEAP-18398 - Tracker bug for the EAP 7.3.1 release for RHEL-7\nJBEAP-18409 - [GSS](7.3.z) Upgrade Infinispan from 9.4.16.Final-redhat-00002 to 9.4.18.Final-redhat-00001\nJBEAP-18527 - (7.3.z) Upgrade WildFly Naming Client from 1.0.10.Final to 1.0.12.Final\nJBEAP-18528 - (7.3.z) Upgrade jboss-ejb-client from 4.0.27.Final to 4.0.31.Final-redhat-00001\nJBEAP-18596 - [GSS](7.3.z) Upgrade JBoss Modules from 1.9.1 to 1.10.0\nJBEAP-18598 - [GSS](7.3.z) Upgrade Bouncycastle from 1.60.0-redhat-00001 to 1.60.0-redhat-00002\nJBEAP-18640 - [Runtimes] (7.3.x) Upgrade slf4j-jboss-logmanager from 1.0.3.GA.redhat-2 to 1.0.4.GA.redhat-00001\nJBEAP-18653 - (7.3.z) Upgrade Apache CXF from 3.3.4.redhat-00001 to 3.3.5.redhat-00001\nJBEAP-18706 - (7.3.z) Upgrade elytron-web from 1.6.0.Final to 1.6.1.Final\nJBEAP-18770 - Upgrade Jandex to 2.1.2.Final-redhat-00001\nJBEAP-18775 - (7.3.z) Upgrade WildFly Core to 10.1.4.Final-redhat-00001\nJBEAP-18788 - (7.3.x) Upgrade wss4j from 2.2.4.redhat-00001 to 2.2.5.redhat-00001\nJBEAP-18790 - (7.3.z) Upgrade cryptacular from 1.2.0.redhat-1 to 1.2.4.redhat-00001\nJBEAP-18818 - (7.3.z) Upgrade PicketBox from 5.0.3.Final-redhat-00005 to 5.0.3.Final-redhat-00006\nJBEAP-18836 - [GSS](7.3.z) Upgrade Remoting JMX from 3.0.3 to 3.0.4\nJBEAP-18850 - (7.3.z) Upgrade smallrye-config from 1.4.1 to 1.6.2\nJBEAP-18870 - Upgrade WildFly Common to 1.5.2.Final.redhat-00002\nJBEAP-18875 - Upgrade MicroProfile Metrics API to 2.3 and smallrye-metrics to 2.4.0\nJBEAP-18876 - Upgrade Smallrye Health to 2.2.0 and MP Health API to 2.2\nJBEAP-18877 - (7.3.z) Upgrade Jaeger client to 0.34.3\nJBEAP-18878 - Upgrade Smallrye Opentracing to 1.3.4 and MP Opentracing to 1.3.3\nJBEAP-18879 - (7.3.z) Upgrade MicroProfile Config 1.4\nJBEAP-18929 - (7.3.z) Upgrade WildFly Elytron from 1.10.5.Final-redhat-00001 to 1.10.6.Final\nJBEAP-18990 - (7.3.z) Upgrade jasypt from 1.9.2 to 1.9.3-redhat-00001\nJBEAP-18991 - (7.3.z) Upgrade opensaml from 3.3.0.redhat-1 to 3.3.1-redhat-00002\nJBEAP-19035 - In Building Custom Layers, update pom.xml content for 7.3.1\nJBEAP-19054 - Upgrade MP REST Client to 1.4.0.redhat-00004\nJBEAP-19066 - Upgrade snakeyaml from 1.18.0.redhat-2 to 1.24.0.redhat-00001\nJBEAP-19117 - [GSS](7.3.z) Upgrade org.jboss.genericjms from 2.0.2.Final-redhat-00001 to 2.0.4.Final-redhat-00001\nJBEAP-19133 - [GSS](7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP08-redhat-00001 to 2.3.9.SP09-redhat-00001\nJBEAP-19156 - (7.3.z) Upgrade RESTEasy from 3.11.1.Final.redhat-00001 to 3.11.2.Final.redhat-00001\nJBEAP-19181 - (7.3.z) Upgrade WildFly Core to 10.1.5.Final-redhat-00001\nJBEAP-19192 - (7.3.z) Update the Japanese translations\nJBEAP-19232 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.7.Final-redhat-00001\nJBEAP-19281 - (7.3.z) Upgrade undertow from 2.0.30.SP2-redhat-00001 to 2.0.30.SP3-redhat-00001\nJBEAP-19456 - Upgrade wildfly-transaction-client to 1.1.11.Final\n\n7. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-14371\nhttps://access.redhat.com/security/cve/CVE-2019-0205\nhttps://access.redhat.com/security/cve/CVE-2019-0210\nhttps://access.redhat.com/security/cve/CVE-2019-10172\nhttps://access.redhat.com/security/cve/CVE-2019-12423\nhttps://access.redhat.com/security/cve/CVE-2019-14887\nhttps://access.redhat.com/security/cve/CVE-2019-17573\nhttps://access.redhat.com/security/cve/CVE-2020-1695\nhttps://access.redhat.com/security/cve/CVE-2020-1729\nhttps://access.redhat.com/security/cve/CVE-2020-1745\nhttps://access.redhat.com/security/cve/CVE-2020-1757\nhttps://access.redhat.com/security/cve/CVE-2020-6950\nhttps://access.redhat.com/security/cve/CVE-2020-7226\nhttps://access.redhat.com/security/cve/CVE-2020-8840\nhttps://access.redhat.com/security/cve/CVE-2020-9546\nhttps://access.redhat.com/security/cve/CVE-2020-9547\nhttps://access.redhat.com/security/cve/CVE-2020-9548\nhttps://access.redhat.com/security/cve/CVE-2020-10688\nhttps://access.redhat.com/security/cve/CVE-2020-10719\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXuHcw9zjgjWX9erEAQh0/w//WCP+lyWNO4PYWG/1MPkiCmf9kc3lABZ/\nzn5l0eEXpeV248b6iJ+xq4vgT3+7akvE4u0XOd0yV+dxoLXHGeNoNa5RDeRGFtEJ\nMbFhSdoOMYJDB14vBcZ6Zwc3lGQX8CrBjACI8mrGOpJIniP4H5dBB+Kb8QhXue82\nFhdEppkBiTzMe0t1yWP6pIRgmtLcBGrPG8a5v1R/c8n/1ADIJiXaS8xQGI1x+z17\ndJIwoQoF1QacJkDq5AqFHdN8cUqsiqsKNKDbm3B5JR6JEwlMSVGtlrMlxsXX2N9F\nQMB5LuOOUUfSsm2V1C1PCQ3bBPaXFNJk6upZjeRDQtyP0CxQHASrCgT+kkZAof6F\nSvflzocaHI/umyATKJkJua3WffJm1YXTGMQSGGgkvUdTxKz6RqAWGN5hOU+oced+\nsCYp6gieKvwR4a+ubDfXLoyQ01g1/+f+g5EabKJkVKvsEEFxHPzL4w7cWA6ESG88\nDnJ+fgf1tycBJD7Lw7IsmN1ckGWHtY+NzOV6btr+4UC4+qeC9D7b9n7UxSK2gGCE\nzAMEW88O3RYVB6QofV3Ysx/SHbQrdSfuVVGhzgSDHmYTLRjr31xXaQvFP4QAJS9a\nbD/W2ZVeN3/nSPduC18i1ZYzDmeP3+A+KS2S4/VWjMs5NSMNlF03RX2KDvegbi9J\nULGZnlcYAXQ\\xcfE3\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. Description:\n\nRed Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak\nproject, that provides authentication and standards-based single sign-on\ncapabilities for web and mobile applications. Bugs fixed (https://bugzilla.redhat.com/):\n\n1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution\n1790759 - CVE-2020-1694 keycloak: verify-token-audience support is missing in the NodeJS adapter\n1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking\n1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config\n1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap\n1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core\n1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size\n1836786 - CVE-2020-10748 keycloak: top-level navigations to data URLs resulting in XSS are possible (incomplete fix of CVE-2020-1697)\n1850004 - CVE-2020-11023 jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution\n\n5. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nThe JBoss server process must be restarted for the update to take effect", sources: [ { db: "NVD", id: "CVE-2020-10719", }, { db: "JVNDB", id: "JVNDB-2020-005881", }, { db: "CNVD", id: "CNVD-2020-35679", }, { db: "VULMON", id: "CVE-2020-10719", }, { db: "PACKETSTORM", id: "157641", }, { db: "PACKETSTORM", id: "158048", }, { db: "PACKETSTORM", id: "157640", }, { db: "PACKETSTORM", id: "158282", }, { db: "PACKETSTORM", id: "157638", }, { db: "PACKETSTORM", id: "158038", }, ], trust: 2.79, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2020-10719", trust: 3.7, }, { db: "JVNDB", id: "JVNDB-2020-005881", trust: 0.8, }, { db: "PACKETSTORM", id: "158048", trust: 0.7, }, { db: "PACKETSTORM", id: "158282", trust: 0.7, }, { db: "CNVD", id: "CNVD-2020-35679", trust: 0.6, }, { db: "PACKETSTORM", id: "163798", trust: 0.6, }, { db: "PACKETSTORM", id: "159015", trust: 0.6, }, { db: "PACKETSTORM", id: "158532", trust: 0.6, }, { db: "PACKETSTORM", id: "157642", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.2536", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2021.2731", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.1659", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.2287", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.2050", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.2042", trust: 0.6, }, { db: "AUSCERT", id: "ESB-2020.2992", trust: 0.6, }, { db: "NSFOCUS", id: "47934", trust: 0.6, }, { db: "CNNVD", id: "CNNVD-202005-237", trust: 0.6, }, { db: "VULMON", id: "CVE-2020-10719", trust: 0.1, }, { db: "PACKETSTORM", id: "157641", trust: 0.1, }, { db: "PACKETSTORM", id: "157640", trust: 0.1, }, { db: "PACKETSTORM", id: "157638", trust: 0.1, }, { db: "PACKETSTORM", id: "158038", trust: 0.1, }, ], sources: [ { db: "CNVD", id: "CNVD-2020-35679", }, { db: "VULMON", id: "CVE-2020-10719", }, { db: "JVNDB", id: "JVNDB-2020-005881", }, { db: "PACKETSTORM", id: "157641", }, { db: "PACKETSTORM", id: "158048", }, { db: "PACKETSTORM", id: "157640", }, { db: "PACKETSTORM", id: "158282", }, { db: "PACKETSTORM", id: "157638", }, { db: "PACKETSTORM", id: "158038", }, { db: "CNNVD", id: "CNNVD-202005-237", }, { db: "NVD", id: "CVE-2020-10719", }, ], }, id: "VAR-202005-0022", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "CNVD", id: "CNVD-2020-35679", }, ], trust: 1.6, }, iot_taxonomy: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { category: [ "Network device", ], sub_category: null, trust: 0.6, }, ], sources: [ { db: "CNVD", id: "CNVD-2020-35679", }, ], }, last_update_date: "2024-11-29T21:11:25.951000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "Bug 1828459", trust: 0.8, url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10719", }, { title: "Patch for Red Hat Undertow Environmental Issue Vulnerability", trust: 0.6, url: "https://www.cnvd.org.cn/patchInfo/show/224079", }, { title: "Red Hat Undertow Remediation measures for environmental problem vulnerabilities", trust: 0.6, url: "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=119577", }, { title: "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 6 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202058 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 8 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202060 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.8 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202061 - Security Advisory", }, { title: "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 7 security update", trust: 0.1, url: "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20202059 - Security Advisory", }, ], sources: [ { db: "CNVD", id: "CNVD-2020-35679", }, { db: "VULMON", id: "CVE-2020-10719", }, { db: "JVNDB", id: "JVNDB-2020-005881", }, { db: "CNNVD", id: "CNNVD-202005-237", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-444", trust: 1.8, }, ], sources: [ { db: "JVNDB", id: "JVNDB-2020-005881", }, { db: "NVD", id: "CVE-2020-10719", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10719", }, { trust: 1.8, url: "https://access.redhat.com/security/cve/cve-2020-10719", }, { trust: 1.6, url: "https://security.netapp.com/advisory/ntap-20220210-0014/", }, { trust: 1.6, url: "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2020-10719", }, { trust: 0.8, url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-10719", }, { trust: 0.6, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.6, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.6, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.6, url: "https://bugzilla.redhat.com/):", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2050/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/157642/red-hat-security-advisory-2020-2058-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/158532/red-hat-security-advisory-2020-2905-01.html", }, { trust: 0.6, url: "http://www.nsfocus.net/vulndb/47934", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/158048/red-hat-security-advisory-2020-2512-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2042/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2992/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/158282/red-hat-security-advisory-2020-2813-01.html", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/159015/red-hat-security-advisory-2020-3585-01.html", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2287/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.2536/", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2021.2731", }, { trust: 0.6, url: "https://www.auscert.org.au/bulletins/esb-2020.1659/", }, { trust: 0.6, url: "https://packetstormsecurity.com/files/163798/red-hat-security-advisory-2021-3140-01.html", }, { trust: 0.6, url: "https://vigilance.fr/vulnerability/red-hat-jboss-enterprise-application-platform-seven-vulnerabilities-32233", }, { trust: 0.5, url: "https://issues.jboss.org/):", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2019-10172", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2019-17573", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1745", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-17573", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2020-7226", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-10172", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2020-1729", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2020-1757", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1729", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2020-7226", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2019-12423", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2019-12423", }, { trust: 0.5, url: "https://access.redhat.com/security/cve/cve-2020-1745", }, { trust: 0.5, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1757", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-1719", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1732", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1719", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-10705", }, { trust: 0.3, url: "https://access.redhat.com/articles/11258", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10705", }, { trust: 0.3, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/", }, { trust: 0.3, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-1732", }, { trust: 0.3, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-9547", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-9546", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2020-9547", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-9548", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2020-9548", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2020-8840", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2020-9546", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2020-8840", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-6950", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-1695", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-14887", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10688", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-0210", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2019-0205", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1695", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-0210", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-14887", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2020-10688", }, { trust: 0.2, url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2020-6950", }, { trust: 0.2, url: "https://nvd.nist.gov/vuln/detail/cve-2018-14371", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2018-14371", }, { trust: 0.2, url: "https://access.redhat.com/security/cve/cve-2019-0205", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:2058", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:2059", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:2512", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:2061", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform&downloadtype=securitypatches&version=7.2", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-11023", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches&product=core.service.rhsso&version=7.4", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-10748", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-11023", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-11022", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1694", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-10748", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-1714", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:2813", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2020-1714", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-11022", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2020-1694", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:2060", }, { trust: 0.1, url: "https://access.redhat.com/errata/rhsa-2020:2515", }, ], sources: [ { db: "CNVD", id: "CNVD-2020-35679", }, { db: "VULMON", id: "CVE-2020-10719", }, { db: "JVNDB", id: "JVNDB-2020-005881", }, { db: "PACKETSTORM", id: "157641", }, { db: "PACKETSTORM", id: "158048", }, { db: "PACKETSTORM", id: "157640", }, { db: "PACKETSTORM", id: "158282", }, { db: "PACKETSTORM", id: "157638", }, { db: "PACKETSTORM", id: "158038", }, { db: "CNNVD", id: "CNNVD-202005-237", }, { db: "NVD", id: "CVE-2020-10719", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "CNVD", id: "CNVD-2020-35679", }, { db: "VULMON", id: "CVE-2020-10719", }, { db: "JVNDB", id: "JVNDB-2020-005881", }, { db: "PACKETSTORM", id: "157641", }, { db: "PACKETSTORM", id: "158048", }, { db: "PACKETSTORM", id: "157640", }, { db: "PACKETSTORM", id: "158282", }, { db: "PACKETSTORM", id: "157638", }, { db: "PACKETSTORM", id: "158038", }, { db: "CNNVD", id: "CNNVD-202005-237", }, { db: "NVD", id: "CVE-2020-10719", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-07-01T00:00:00", db: "CNVD", id: "CNVD-2020-35679", }, { date: "2020-05-26T00:00:00", db: "VULMON", id: "CVE-2020-10719", }, { date: "2020-06-24T00:00:00", db: "JVNDB", id: "JVNDB-2020-005881", }, { date: "2020-05-11T21:14:21", db: "PACKETSTORM", id: "157641", }, { date: "2020-06-11T16:36:20", db: "PACKETSTORM", id: "158048", }, { date: "2020-05-11T21:14:15", db: "PACKETSTORM", id: "157640", }, { date: "2020-07-02T15:43:25", db: "PACKETSTORM", id: "158282", }, { date: "2020-05-11T21:14:00", db: "PACKETSTORM", id: "157638", }, { date: "2020-06-11T16:34:25", db: "PACKETSTORM", id: "158038", }, { date: "2020-05-06T00:00:00", db: "CNNVD", id: "CNNVD-202005-237", }, { date: "2020-05-26T16:15:12.180000", db: "NVD", id: "CVE-2020-10719", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-07-01T00:00:00", db: "CNVD", id: "CNVD-2020-35679", }, { date: "2020-05-29T00:00:00", db: "VULMON", id: "CVE-2020-10719", }, { date: "2020-06-24T00:00:00", db: "JVNDB", id: "JVNDB-2020-005881", }, { date: "2022-03-10T00:00:00", db: "CNNVD", id: "CNNVD-202005-237", }, { date: "2024-11-21T04:55:55.363000", db: "NVD", id: "CVE-2020-10719", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "CNNVD", id: "CNNVD-202005-237", }, ], trust: 0.6, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Undertow In HTTP Request Smagling Vulnerability", sources: [ { db: "JVNDB", id: "JVNDB-2020-005881", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "environmental issue", sources: [ { db: "CNNVD", id: "CNNVD-202005-237", }, ], trust: 0.6, }, }
var-201704-1589
Vulnerability from variot
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. Apache Log4j Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Apache Log4j is prone to remote code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. Apache Log4j 2.0-alpha1 through 2.8.1 are vulnerable. Apache Log4j is a Java-based open source logging tool developed by the Apache Software Foundation. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. (CVE-2017-5645)
-
A vulnerability was discovered in tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)
-
A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)
-
A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648)
-
Solution:
Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). Bugs fixed (https://bugzilla.redhat.com/):
1441205 - CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used 1441223 - CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 1459158 - CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
- JIRA issues fixed (https://issues.jboss.org/):
JWS-657 - tomcat-native installs RHEL apr in addition to jbcs-httpd24-httpd-libs JWS-667 - Subject incorrectly removed from user session JWS-695 - tomcat7_t and tomcat8_t domains are in unconfined_domain JWS-709 - RPM missing selinux-policy dependency JWS-716 - Backport 60087 for Tomcat 8 JWS-717 - RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites JWS-721 - CORS filter Vary header missing JWS-725 - /usr/share/tomcat7 needs world execute permissions to function on openshift v2 JWS-741 - Configurations in conf.d are not applied JWS-760 - [ASF BZ 59961] Provide an option to enable/disable processing of Class-Path entry in a jar's manifest file
- The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Security Fix(es):
-
bsh2: remote code execution via deserialization (CVE-2016-2510)
-
log4j: Socket receiver deserialization vulnerability (CVE-2017-5645)
-
uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code (CVE-2017-15691)
-
mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)
-
thrift: Improper Access Control grants access to files outside the webservers docroot path (CVE-2018-11798)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Installation instructions are available from the Fuse 7.3.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/
- Bugs fixed (https://bugzilla.redhat.com/):
1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability 1572463 - CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code 1640615 - CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) 1667188 - CVE-2018-11798 thrift: Improper Access Control grants access to files outside the webservers docroot path
- Description:
Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. (CVE-2017-5645)
-
It was found that XStream contains a vulnerability that allows a maliciously crafted file to be parsed successfully which could cause an application crash. The crash occurs if the file that is being fed into XStream input stream contains an instances of the primitive type 'void'. An attacker could use this flaw to create a denial of service on the target system. (CVE-2017-7957)
It is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.
The References section of this erratum contains a download link (you must log in to download the update). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: log4j security update Advisory ID: RHSA-2017:2423-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:2423 Issue date: 2017-08-07 CVE Names: CVE-2017-5645 =====================================================================
- Summary:
An update for log4j is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
- Description:
Log4j is a tool to help the programmer output log statements to a variety of output targets. (CVE-2017-5645)
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: log4j-1.2.17-16.el7_4.src.rpm
noarch: log4j-1.2.17-16.el7_4.noarch.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch: log4j-javadoc-1.2.17-16.el7_4.noarch.rpm log4j-manual-1.2.17-16.el7_4.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: log4j-1.2.17-16.el7_4.src.rpm
noarch: log4j-1.2.17-16.el7_4.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch: log4j-javadoc-1.2.17-16.el7_4.noarch.rpm log4j-manual-1.2.17-16.el7_4.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: log4j-1.2.17-16.el7_4.src.rpm
noarch: log4j-1.2.17-16.el7_4.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch: log4j-javadoc-1.2.17-16.el7_4.noarch.rpm log4j-manual-1.2.17-16.el7_4.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: log4j-1.2.17-16.el7_4.src.rpm
noarch: log4j-1.2.17-16.el7_4.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch: log4j-javadoc-1.2.17-16.el7_4.noarch.rpm log4j-manual-1.2.17-16.el7_4.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFZiCjVXlSAg2UNWIIRAgugAKCX6snTYMAdTmkK1uQ86MGQhkv7ugCdFILV uCPrjfU5EG2L7kIu/w1uCSA= =Fxz+ -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Description:
The eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). (CVE-2017-5645)
-
A vulnerability was found in Jasypt that would allow an attacker to perform a timing attack on password hash comparison. (CVE-2014-9970)
-
It was found that an information disclosure flaw in Bouncy Castle could enable a local malicious application to gain access to user's private information. (CVE-2015-6644)
-
It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. (CVE-2017-2582)
-
It was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). JIRA issues fixed (https://issues.jboss.org/):
JBEAP-11487 - jboss-ec2-eap for EAP 7.0.8
- (CVE-2017-7525)
Red Hat would like to thank Liao Xinxi (NSFOCUS) for reporting CVE-2017-7525
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", affected_products: { "@id": "https://www.variotdbs.pl/ref/affected_products", }, configurations: { "@id": "https://www.variotdbs.pl/ref/configurations", }, credits: { "@id": "https://www.variotdbs.pl/ref/credits", }, cvss: { "@id": "https://www.variotdbs.pl/ref/cvss/", }, description: { "@id": "https://www.variotdbs.pl/ref/description/", }, exploit_availability: { "@id": "https://www.variotdbs.pl/ref/exploit_availability/", }, external_ids: { "@id": "https://www.variotdbs.pl/ref/external_ids/", }, iot: { "@id": "https://www.variotdbs.pl/ref/iot/", }, iot_taxonomy: { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/", }, patch: { "@id": "https://www.variotdbs.pl/ref/patch/", }, problemtype_data: { "@id": "https://www.variotdbs.pl/ref/problemtype_data/", }, references: { "@id": "https://www.variotdbs.pl/ref/references/", }, sources: { "@id": "https://www.variotdbs.pl/ref/sources/", }, sources_release_date: { "@id": "https://www.variotdbs.pl/ref/sources_release_date/", }, sources_update_date: { "@id": "https://www.variotdbs.pl/ref/sources_update_date/", }, threat_type: { "@id": "https://www.variotdbs.pl/ref/threat_type/", }, title: { "@id": "https://www.variotdbs.pl/ref/title/", }, type: { "@id": "https://www.variotdbs.pl/ref/type/", }, }, "@id": "https://www.variotdbs.pl/vuln/VAR-201704-1589", affected_products: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { model: "utilities advanced spatial and operational analytics", scope: "eq", trust: 1.3, vendor: "oracle", version: "2.7.0.1", }, { model: "tape library acsls", scope: "eq", trust: 1.3, vendor: "oracle", version: "8.4", }, { model: "soa suite", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.2.1.3.0", }, { model: "soa suite", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.1.3.0.0", }, { model: "siebel ui framework", scope: "eq", trust: 1.3, vendor: "oracle", version: "18.9", }, { model: "siebel ui framework", scope: "eq", trust: 1.3, vendor: "oracle", version: "18.8", }, { model: "siebel ui framework", scope: "eq", trust: 1.3, vendor: "oracle", version: "18.7", }, { model: "retail open commerce platform", scope: "eq", trust: 1.3, vendor: "oracle", version: "6.0.1", }, { model: "retail extract transform and load", scope: "eq", trust: 1.3, vendor: "oracle", version: "13.2", }, { model: "retail extract transform and load", scope: "eq", trust: 1.3, vendor: "oracle", version: "13.1", }, { model: "retail extract transform and load", scope: "eq", trust: 1.3, vendor: "oracle", version: "13.0", }, { model: "retail advanced inventory planning", scope: "eq", trust: 1.3, vendor: "oracle", version: "15.0", }, { model: "jdeveloper", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.1.3.0.0", }, { model: "jdeveloper", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.1.1.9.0", }, { model: "jd edwards enterpriseone tools", scope: "eq", trust: 1.3, vendor: "oracle", version: "9.2", }, { model: "insurance rules palette", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.1", }, { model: "insurance rules palette", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.0", }, { model: "insurance rules palette", scope: "eq", trust: 1.3, vendor: "oracle", version: "10.1", }, { model: "insurance rules palette", scope: "eq", trust: 1.3, vendor: "oracle", version: "10.0", }, { model: "insurance calculation engine", scope: "eq", trust: 1.3, vendor: "oracle", version: "10.2.1", }, { model: "insurance calculation engine", scope: "eq", trust: 1.3, vendor: "oracle", version: "10.1.1", }, { model: "identity management suite", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.2.1.3.0", }, { model: "identity management suite", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.1.2.3.0", }, { model: "identity analytics", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.1.1.5.8", }, { model: "goldengate application adapters", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.3.2.1.1", }, { model: "flexcube investor servicing", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.0.4", }, { model: "configuration manager", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.1.2.0.5", }, { model: "configuration manager", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.1.2.0.2", }, { model: "communications service broker", scope: "eq", trust: 1.3, vendor: "oracle", version: "6.0", }, { model: "communications pricing design center", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.0", }, { model: "communications pricing design center", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.1", }, { model: "communications online mediation controller", scope: "eq", trust: 1.3, vendor: "oracle", version: "6.1", }, { model: "bi publisher", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.2.1.4.0", }, { model: "bi publisher", scope: "eq", trust: 1.3, vendor: "oracle", version: "12.2.1.3.0", }, { model: "bi publisher", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.1.1.9.0", }, { model: "bi publisher", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.1.1.7.0", }, { model: "api gateway", scope: "eq", trust: 1.3, vendor: "oracle", version: "11.1.2.4.0", }, { model: "jdeveloper", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3.0", }, { model: "financial services lending and leasing", scope: "lte", trust: 1, vendor: "oracle", version: "14.8.0", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "17.12.7", }, { model: "financial services profitability management", scope: "eq", trust: 1, vendor: "oracle", version: "6.1.1", }, { model: "log4j", scope: "gte", trust: 1, vendor: "apache", version: "2.0", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "10.1", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "16.2.0", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0", }, { model: "enterprise linux server", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "endeca information discovery studio", scope: "eq", trust: 1, vendor: "oracle", version: "3.2.0", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.4", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "6.7", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "enterprise manager for fusion middleware", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0.5", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "11.0", }, { model: "financial services hedge management and ifrs valuations", scope: "eq", trust: 1, vendor: "oracle", version: "8.0.4", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.0", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "10.0", }, { model: "financial services analytical applications infrastructure", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.7.0.0", }, { model: "communications network integrity", scope: "lte", trust: 1, vendor: "oracle", version: "7.3.6", }, { model: "mysql enterprise monitor", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0.0.0", }, { model: "communications interactive session recorder", scope: "lte", trust: 1, vendor: "oracle", version: "6.2", }, { model: "financial services hedge management and ifrs valuations", scope: "eq", trust: 1, vendor: "oracle", version: "8.0.5", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.6.0", }, { model: "communications network integrity", scope: "gte", trust: 1, vendor: "oracle", version: "7.3.2", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.4", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.1.0.0", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3.0", }, { model: "service level manager", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "rapid planning", scope: "eq", trust: 1, vendor: "oracle", version: "12.1", }, { model: "fuse", scope: "eq", trust: 1, vendor: "redhat", version: "1.0", }, { model: "enterprise linux server eus", scope: "eq", trust: 1, vendor: "redhat", version: "7.6", }, { model: "enterprise manager for oracle database", scope: "eq", trust: 1, vendor: "oracle", version: "13.2.2", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "15.0", }, { model: "enterprise linux server eus", scope: "eq", trust: 1, vendor: "redhat", version: "7.4", }, { model: "instantis enterprisetrack", scope: "gte", trust: 1, vendor: "oracle", version: "17.1", }, { model: "enterprise linux server eus", scope: "eq", trust: 1, vendor: "redhat", version: "7.5", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "6.0", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.4", }, { model: "retail predictive application server", scope: "eq", trust: 1, vendor: "oracle", version: "15.0.3", }, { model: "retail open commerce platform", scope: "eq", trust: 1, vendor: "oracle", version: "6.0.0", }, { model: "enterprise manager for mysql database", scope: "lte", trust: 1, vendor: "oracle", version: "13.2.2.0.0", }, { model: "enterprise manager for oracle database", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0.8", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.5", }, { model: "financial services behavior detection platform", scope: "eq", trust: 1, vendor: "oracle", version: "6.1.1", }, { model: "utilities work and asset management", scope: "eq", trust: 1, vendor: "oracle", version: "1.9.1.2.12", }, { model: "retail open commerce platform", scope: "eq", trust: 1, vendor: "oracle", version: "5.3.0", }, { model: "retail clearance optimization engine", scope: "eq", trust: 1, vendor: "oracle", version: "14.0.5", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.6", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "16.0", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "10.4.7", }, { model: "enterprise linux desktop", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "oncommand insight", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.2", }, { model: "enterprise manager for fusion middleware", scope: "eq", trust: 1, vendor: "oracle", version: "13.2.0.0", }, { model: "mysql enterprise monitor", scope: "gte", trust: 1, vendor: "oracle", version: "3.4.0.0", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.3", }, { model: "flexcube investor servicing", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0", }, { model: "enterprise linux server aus", scope: "eq", trust: 1, vendor: "redhat", version: "7.6", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.3.0.0", }, { model: "enterprise linux server aus", scope: "eq", trust: 1, vendor: "redhat", version: "7.4", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.6", }, { model: "retail service backbone", scope: "eq", trust: 1, vendor: "oracle", version: "14.1", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "13.2.0.0", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "10.4.7", }, { model: "jd edwards enterpriseone tools", scope: "eq", trust: 1, vendor: "oracle", version: "4.0.1.0", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.2", }, { model: "goldengate", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.2.1.1", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.5", }, { model: "enterprise manager for peoplesoft", scope: "eq", trust: 1, vendor: "oracle", version: "13.2.1.1", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.1", }, { model: "enterprise manager for peoplesoft", scope: "eq", trust: 1, vendor: "oracle", version: "13.1.1.1", }, { model: "log4j", scope: "lt", trust: 1, vendor: "apache", version: "2.8.2", }, { model: "primavera gateway", scope: "lte", trust: 1, vendor: "oracle", version: "16.2.11", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.3", }, { model: "flexcube investor servicing", scope: "eq", trust: 1, vendor: "oracle", version: "12.4.0", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.6", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.10", }, { model: "autovue vuelink integration", scope: "eq", trust: 1, vendor: "oracle", version: "21.0.0", }, { model: "policy automation connector for siebel", scope: "eq", trust: 1, vendor: "oracle", version: "10.4.6", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.6.1", }, { model: "snapcenter", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "in-memory performance-driven planning", scope: "eq", trust: 1, vendor: "oracle", version: "12.2", }, { model: "financial services profitability management", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0.0.0", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.1", }, { model: "enterprise data quality", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3.0", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.5", }, { model: "oncommand workflow automation", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "communications converged application server - service controller", scope: "eq", trust: 1, vendor: "oracle", version: "6.1", }, { model: "communications instant messaging server", scope: "eq", trust: 1, vendor: "oracle", version: "10.0.1.3.0", }, { model: "financial services behavior detection platform", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0.0.0", }, { model: "timesten in-memory database", scope: "eq", trust: 1, vendor: "oracle", version: "11.2.2.8.49", }, { model: "enterprise linux workstation", scope: "eq", trust: 1, vendor: "redhat", version: "7.0", }, { model: "primavera gateway", scope: "gte", trust: 1, vendor: "oracle", version: "17.12.0", }, { model: "identity manager connector", scope: "eq", trust: 1, vendor: "oracle", version: "9.0", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.10", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.7", }, { model: "financial services profitability management", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.7.0.0", }, { model: "retail extract transform and load", scope: "eq", trust: 1, vendor: "oracle", version: "19.0", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.4.0", }, { model: "enterprise linux", scope: "eq", trust: 1, vendor: "redhat", version: "7.3", }, { model: "banking platform", scope: "eq", trust: 1, vendor: "oracle", version: "2.6.2", }, { model: "financial services analytical applications infrastructure", scope: "gte", trust: 1, vendor: "oracle", version: "8.0.0.0.0", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.9", }, { model: "autovue vuelink integration", scope: "eq", trust: 1, vendor: "oracle", version: "21.0.1", }, { model: "financial services lending and leasing", scope: "gte", trust: 1, vendor: "oracle", version: "14.1.0", }, { model: "in-memory performance-driven planning", scope: "eq", trust: 1, vendor: "oracle", version: "12.1", }, { model: "mysql enterprise monitor", scope: "gte", trust: 1, vendor: "oracle", version: "4.0.0.0", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1", }, { model: "financial services loan loss forecasting and provisioning", scope: "eq", trust: 1, vendor: "oracle", version: "8.0.4", }, { model: "financial services analytical applications infrastructure", scope: "lte", trust: 1, vendor: "oracle", version: "7.3.3.0.2", }, { model: "oncommand api services", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "instantis enterprisetrack", scope: "lte", trust: 1, vendor: "oracle", version: "17.3", }, { model: "fusion middleware mapviewer", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.2", }, { model: "weblogic server", scope: "eq", trust: 1, vendor: "oracle", version: "10.3.6.0.0", }, { model: "financial services behavior detection platform", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.4.0.0", }, { model: "fusion middleware mapviewer", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1.3", }, { model: "storage automation store", scope: "eq", trust: 1, vendor: "netapp", version: null, }, { model: "enterprise linux server tus", scope: "eq", trust: 1, vendor: "redhat", version: "7.6", }, { model: "enterprise linux server tus", scope: "eq", trust: 1, vendor: "redhat", version: "7.4", }, { model: "financial services loan loss forecasting and provisioning", scope: "eq", trust: 1, vendor: "oracle", version: "8.0.5", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.9", }, { model: "retail advanced inventory planning", scope: "eq", trust: 1, vendor: "oracle", version: "14.0", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.1.0", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.7", }, { model: "rapid planning", scope: "eq", trust: 1, vendor: "oracle", version: "12.2", }, { model: "communications messaging server", scope: "lt", trust: 1, vendor: "oracle", version: "8.0.2", }, { model: "mysql enterprise monitor", scope: "lte", trust: 1, vendor: "oracle", version: "4.0.4.5235", }, { model: "policy automation", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.8", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.1", }, { model: "soa suite", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.2.0.0", }, { model: "flexcube investor servicing", scope: "eq", trust: 1, vendor: "oracle", version: "14.0.0", }, { model: "insurance policy administration", scope: "eq", trust: 1, vendor: "oracle", version: "10.2", }, { model: "communications webrtc session controller", scope: "lt", trust: 1, vendor: "oracle", version: "7.2", }, { model: "retail service backbone", scope: "eq", trust: 1, vendor: "oracle", version: "15.0", }, { model: "financial services regulatory reporting with agilereporter", scope: "eq", trust: 1, vendor: "oracle", version: "8.0.9.2.0", }, { model: "enterprise manager base platform", scope: "eq", trust: 1, vendor: "oracle", version: "12.1.0.5", }, { model: "financial services analytical applications infrastructure", scope: "gte", trust: 1, vendor: "oracle", version: "7.3.3.0.0", }, { model: "financial services lending and leasing", scope: "eq", trust: 1, vendor: "oracle", version: "12.5.0", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.0", }, { model: "application testing suite", scope: "eq", trust: 1, vendor: "oracle", version: "13.3.0.1", }, { model: "policy automation for mobile devices", scope: "eq", trust: 1, vendor: "oracle", version: "12.2.8", }, { model: "mysql enterprise monitor", scope: "lte", trust: 1, vendor: "oracle", version: "8.0.0.8131", }, { model: "mysql enterprise monitor", scope: "lte", trust: 1, vendor: "oracle", version: "3.4.7.4297", }, { model: "flexcube investor servicing", scope: "eq", trust: 1, vendor: "oracle", version: "12.3.0", }, { model: "communications interactive session recorder", scope: "gte", trust: 1, vendor: "oracle", version: "6.0", }, { model: "retail service backbone", scope: "eq", trust: 1, vendor: "oracle", version: "16.0", }, { model: "peoplesoft enterprise fin install", scope: "eq", trust: 1, vendor: "oracle", version: "9.2", }, { model: "insurance rules palette", scope: "eq", trust: 1, vendor: "oracle", version: "10.2", }, { model: "retail integration bus", scope: "eq", trust: 1, vendor: "oracle", version: "14.0.0", }, { model: "log4j", scope: "eq", trust: 0.8, vendor: "apache", version: "2.8.2", }, { model: "log4j", scope: "lt", trust: 0.8, vendor: "apache", version: "2.x", }, { model: "jboss web server for rhel", scope: "eq", trust: 0.3, vendor: "redhat", version: "3.17", }, { model: "jboss web server for rhel", scope: "eq", trust: 0.3, vendor: "redhat", version: "3.16", }, { model: "enterprise linux workstation optional", scope: "eq", trust: 0.3, vendor: "redhat", version: "7", }, { model: "enterprise linux workstation", scope: "eq", trust: 0.3, vendor: "redhat", version: "7", }, { model: "enterprise linux workstation", scope: "eq", trust: 0.3, vendor: "redhat", version: "6", }, { model: "enterprise linux server optional", scope: "eq", trust: 0.3, vendor: "redhat", version: "7", }, { model: "enterprise linux server eus", scope: "eq", trust: 0.3, vendor: "redhat", version: "7.3", }, { model: "enterprise linux server", scope: "eq", trust: 0.3, vendor: "redhat", version: "7", }, { model: "enterprise linux server", scope: "eq", trust: 0.3, vendor: "redhat", version: "6", }, { model: "enterprise linux computenode optional", scope: "eq", trust: 0.3, vendor: "redhat", version: "7", }, { model: "enterprise linux computenode", scope: "eq", trust: 0.3, vendor: "redhat", version: "7", }, { model: "enterprise linux client optional", scope: "eq", trust: 0.3, vendor: "redhat", version: "7", }, { model: "enterprise linux client", scope: "eq", trust: 0.3, vendor: "redhat", version: "7", }, { model: "weblogic server", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.3.60", }, { model: "weblogic server", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.1.3", }, { model: "weblogic server", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.1.2", }, { model: "weblogic server", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.1.3.0", }, { model: "webcenter portal", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.1.3.0", }, { model: "webcenter portal", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.1.2.0", }, { model: "utilities framework", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.3", }, { model: "utilities framework", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.2", }, { model: "utilities framework", scope: "eq", trust: 0.3, vendor: "oracle", version: "2.2", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.4.2", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.4.1", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.3.5", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.3.4", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.3.3", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.3.2", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.3.1", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.2.11", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.3.7", }, { model: "transportation management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.3.6", }, { model: "secure global desktop", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.3", }, { model: "retail xstore point of service", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0.1", }, { model: "retail xstore point of service", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.1.6", }, { model: "retail xstore point of service", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.0.6", }, { model: "retail xstore point of service", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0.11", }, { model: "retail workforce management", scope: "eq", trust: 0.3, vendor: "oracle", version: "1.64", }, { model: "retail workforce management", scope: "eq", trust: 0.3, vendor: "oracle", version: "1.60.7", }, { model: "retail store inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0.1", }, { model: "retail store inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0.2", }, { model: "retail store inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1.3", }, { model: "retail store inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0.4", }, { model: "retail store inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.2.9", }, { model: "retail store inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.1.9", }, { model: "retail store inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.0.7", }, { model: "retail store inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.0.12", }, { model: "retail returns management", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1.3", }, { model: "retail returns management", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0.4", }, { model: "retail returns management", scope: "eq", trust: 0.3, vendor: "oracle", version: "2.4.9", }, { model: "retail returns management", scope: "eq", trust: 0.3, vendor: "oracle", version: "2.3.8", }, { model: "retail price management", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0", }, { model: "retail price management", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0", }, { model: "retail price management", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1", }, { model: "retail price management", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0", }, { model: "retail price management", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.2", }, { model: "retail price management", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.1", }, { model: "retail price management", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.0", }, { model: "retail price management", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.0", }, { model: "retail point-of-service", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1.3", }, { model: "retail point-of-service", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0.4", }, { model: "retail order management system", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.0", }, { model: "retail order management system", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.7", }, { model: "retail order management system", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.5", }, { model: "retail order management system", scope: "eq", trust: 0.3, vendor: "oracle", version: "4.0", }, { model: "retail order broker", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.2", }, { model: "retail order broker", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.1", }, { model: "retail order broker", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0", }, { model: "retail order broker", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0", }, { model: "retail open commerce platform", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0", }, { model: "retail open commerce platform", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.3", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.2", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.1", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.0", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.0", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "11.0", }, { model: "retail invoice matching", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.2", }, { model: "retail insights", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0", }, { model: "retail insights", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0", }, { model: "retail insights", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1", }, { model: "retail insights", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0", }, { model: "retail fiscal management", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1", }, { model: "retail eftlink", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0.3", }, { model: "retail eftlink", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0.2", }, { model: "retail customer management and segmentation foundation", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0", }, { model: "retail customer management and segmentation foundation", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0", }, { model: "retail customer management and segmentation foundation", scope: "eq", trust: 0.3, vendor: "oracle", version: "11.4", }, { model: "retail customer management and segmentation foundation", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.8", }, { model: "retail convenience and fuel pos", scope: "eq", trust: 0.3, vendor: "oracle", version: "2.1.132", }, { model: "retail central office", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1.3", }, { model: "retail central office", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0.4", }, { model: "retail back office", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1.3", }, { model: "retail back office", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0.4", }, { model: "retail assortment planning", scope: "eq", trust: 0.3, vendor: "oracle", version: "16.0.1", }, { model: "retail assortment planning", scope: "eq", trust: 0.3, vendor: "oracle", version: "15.0.3", }, { model: "retail assortment planning", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1.3", }, { model: "retail advanced inventory planning", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.1", }, { model: "retail advanced inventory planning", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.4", }, { model: "retail advanced inventory planning", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.2", }, { model: "peoplesoft enterprise fin supply chain portal pack brazil", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.1", }, { model: "peoplesoft enterprise fin supply chain portal pack argentina", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.1", }, { model: "micros retail xbri loss prevention", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.8.1", }, { model: "micros retail xbri loss prevention", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.8", }, { model: "micros retail xbri loss prevention", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.7", }, { model: "micros retail xbri loss prevention", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.6", }, { model: "micros retail xbri loss prevention", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.5", }, { model: "micros retail xbri loss prevention", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.0.1", }, { model: "micros lucas", scope: "eq", trust: 0.3, vendor: "oracle", version: "2.9.5", }, { model: "managed file transfer", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.1.3.0", }, { model: "managed file transfer", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.1.2.0", }, { model: "managed file transfer", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.1.3.0.0", }, { model: "jdeveloper", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.1.0.0", }, { model: "jd edwards world security a9.4", scope: null, trust: 0.3, vendor: "oracle", version: null, }, { model: "jd edwards world security a9.3", scope: null, trust: 0.3, vendor: "oracle", version: null, }, { model: "jd edwards world security a9.2", scope: null, trust: 0.3, vendor: "oracle", version: null, }, { model: "insurance rules palette", scope: "eq", trust: 0.3, vendor: "oracle", version: "10.2.0", }, { model: "flexcube private banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.0", }, { model: "flexcube private banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "2.1", }, { model: "flexcube investor servicing", scope: "eq", trust: 0.3, vendor: "oracle", version: "14.0", }, { model: "flexcube investor servicing", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.4", }, { model: "flexcube investor servicing", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.3", }, { model: "flexcube investor servicing", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.1", }, { model: "flexcube core banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "11.7", }, { model: "flexcube core banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "11.6", }, { model: "flexcube core banking", scope: "eq", trust: 0.3, vendor: "oracle", version: "11.5", }, { model: "enterprise repository", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.1.3.0.0", }, { model: "enterprise repository", scope: "eq", trust: 0.3, vendor: "oracle", version: "11.1.1.7.0", }, { model: "enterprise manager ops center", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.3.2", }, { model: "enterprise manager ops center", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.2.2", }, { model: "enterprise linux", scope: "eq", trust: 0.3, vendor: "oracle", version: "7", }, { model: "endeca server", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.7", }, { model: "endeca information discovery integrator", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.2", }, { model: "endeca information discovery integrator", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.1", }, { model: "communications webrtc session controller", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.1", }, { model: "communications webrtc session controller", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.0", }, { model: "communications unified inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.3", }, { model: "communications unified inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.1", }, { model: "communications unified inventory management", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.0", }, { model: "communications services gatekeeper", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0", }, { model: "communications services gatekeeper", scope: "eq", trust: 0.3, vendor: "oracle", version: "5.1", }, { model: "communications network intelligence", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.3", }, { model: "communications network charging and control", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0", }, { model: "communications messaging server", scope: "eq", trust: 0.3, vendor: "oracle", version: "8.0.1.1.0", }, { model: "communications messaging server", scope: "eq", trust: 0.3, vendor: "oracle", version: "8.0", }, { model: "communications messaging server", scope: "eq", trust: 0.3, vendor: "oracle", version: "7.0", }, { model: "communications messaging server", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.3", }, { model: "communications messaging server", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.0", }, { model: "communications interactive session recorder", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.2", }, { model: "communications interactive session recorder", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.1", }, { model: "communications interactive session recorder", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0", }, { model: "communications convergent charging controller", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.0", }, { model: "communications converged application server service controller", scope: "eq", trust: 0.3, vendor: "oracle", version: "-6.1", }, { model: "communications brm elastic charging engine", scope: "eq", trust: 0.3, vendor: "oracle", version: "-7.5", }, { model: "business intelligence data warehouse administration console", scope: "eq", trust: 0.3, vendor: "oracle", version: "11.1.1.6.4", }, { model: "big data discovery", scope: "eq", trust: 0.3, vendor: "oracle", version: "1.6", }, { model: "autovue for agile product lifecycle management", scope: "eq", trust: 0.3, vendor: "oracle", version: "21.0.1", }, { model: "autovue for agile product lifecycle management", scope: "eq", trust: 0.3, vendor: "oracle", version: "21.0", }, { model: "application testing suite", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.2.0.1", }, { model: "application testing suite", scope: "eq", trust: 0.3, vendor: "oracle", version: "13.1.0.1", }, { model: "application testing suite", scope: "eq", trust: 0.3, vendor: "oracle", version: "12.5.0.3", }, { model: "agile plm mcad connector", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.6", }, { model: "agile plm mcad connector", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.5", }, { model: "agile plm mcad connector", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.4", }, { model: "agile plm mcad connector", scope: "eq", trust: 0.3, vendor: "oracle", version: "3.3", }, { model: "agile plm", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.3.5", }, { model: "agile plm", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.3.3", }, { model: "agile plm", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.3.6", }, { model: "agile plm", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.3.4", }, { model: "agile material and equipment management for pharmaceuticals", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.3.4", }, { model: "agile material and equipment management for pharmaceuticals", scope: "eq", trust: 0.3, vendor: "oracle", version: "9.3.3", }, { model: "agile engineering data management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.2.1", }, { model: "agile engineering data management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.2", }, { model: "agile engineering data management", scope: "eq", trust: 0.3, vendor: "oracle", version: "6.1.3", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.8.1", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.6.2", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.6.1", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.4.1", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0.2", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0.1", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.8", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.7", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.6", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.5", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.4", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.3", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.2", }, { model: "log4j", scope: "eq", trust: 0.3, vendor: "apache", version: "2.1", }, { model: "log4j 2.0-alpha1", scope: null, trust: 0.3, vendor: "apache", version: null, }, { model: "log4j rc2", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j rc1", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta9", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta8", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta7", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta6", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta5", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta4", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta3", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta2", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j beta1", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "log4j alpha2", scope: "eq", trust: 0.3, vendor: "apache", version: "2.0", }, { model: "communications webrtc session controller", scope: "ne", trust: 0.3, vendor: "oracle", version: "7.2", }, { model: "communications messaging server", scope: "ne", trust: 0.3, vendor: "oracle", version: "8.0.2", }, { model: "log4j", scope: "ne", trust: 0.3, vendor: "apache", version: "2.8.2", }, ], sources: [ { db: "BID", id: "97702", }, { db: "JVNDB", id: "JVNDB-2017-003152", }, { db: "NVD", id: "CVE-2017-5645", }, ], }, configurations: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", children: { "@container": "@list", }, cpe_match: { "@container": "@list", }, data: { "@container": "@list", }, nodes: { "@container": "@list", }, }, data: [ { CVE_data_version: "4.0", nodes: [ { cpe_match: [ { cpe22Uri: "cpe:/a:apache:log4j", vulnerable: true, }, ], operator: "OR", }, ], }, ], sources: [ { db: "JVNDB", id: "JVNDB-2017-003152", }, ], }, credits: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Red Hat", sources: [ { db: "PACKETSTORM", id: "143499", }, { db: "PACKETSTORM", id: "153344", }, { db: "PACKETSTORM", id: "144597", }, { db: "PACKETSTORM", id: "144019", }, { db: "PACKETSTORM", id: "144013", }, { db: "PACKETSTORM", id: "143670", }, { db: "PACKETSTORM", id: "144359", }, { db: "PACKETSTORM", id: "144018", }, ], trust: 0.8, }, cve: "CVE-2017-5645", cvss: { "@context": { cvssV2: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2", }, cvssV3: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#", }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/", }, severity: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#", }, "@id": "https://www.variotdbs.pl/ref/cvss/severity", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, "@id": "https://www.variotdbs.pl/ref/sources", }, }, data: [ { cvssV2: [ { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "nvd@nist.gov", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "CVE-2017-5645", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 1.8, vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", author: "VULHUB", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", exploitabilityScore: 10, id: "VHN-113848", impactScore: 6.4, integrityImpact: "PARTIAL", severity: "HIGH", trust: 0.1, vectorString: "AV:N/AC:L/AU:N/C:P/I:P/A:P", version: "2.0", }, ], cvssV3: [ { attackComplexity: "LOW", attackVector: "NETWORK", author: "nvd@nist.gov", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", exploitabilityScore: 3.9, id: "CVE-2017-5645", impactScore: 5.9, integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", trust: 1, userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, { attackComplexity: "Low", attackVector: "Network", author: "NVD", availabilityImpact: "High", baseScore: 9.8, baseSeverity: "Critical", confidentialityImpact: "High", exploitabilityScore: null, id: "CVE-2017-5645", impactScore: null, integrityImpact: "High", privilegesRequired: "None", scope: "Unchanged", trust: 0.8, userInteraction: "None", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, ], severity: [ { author: "nvd@nist.gov", id: "CVE-2017-5645", trust: 1, value: "CRITICAL", }, { author: "NVD", id: "CVE-2017-5645", trust: 0.8, value: "Critical", }, { author: "VULHUB", id: "VHN-113848", trust: 0.1, value: "HIGH", }, ], }, ], sources: [ { db: "VULHUB", id: "VHN-113848", }, { db: "JVNDB", id: "JVNDB-2017-003152", }, { db: "NVD", id: "CVE-2017-5645", }, ], }, description: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. Apache Log4j Contains a vulnerability in the deserialization of unreliable data.Information is obtained, information is altered, and service operation is disrupted (DoS) An attack may be carried out. Apache Log4j is prone to remote code-execution vulnerability. \nSuccessfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Failed exploits will result in denial-of-service conditions. \nApache Log4j 2.0-alpha1 through 2.8.1 are vulnerable. Apache Log4j is a Java-based open source logging tool developed by the Apache Software Foundation. Description:\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library. \n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a\nreplacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which\nare documented in the Release Notes document linked to in the References. (CVE-2017-5645)\n\n* A vulnerability was discovered in tomcat's handling of pipelined requests\nwhen \"Sendfile\" was used. If sendfile processing completed quickly, it was\npossible for the Processor to be added to the processor cache twice. This\ncould lead to invalid responses or information disclosure. (CVE-2017-5647)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's\nDefaultServlet implementation. A crafted HTTP request could cause undesired\nside effects, possibly including the removal or replacement of the custom\nerror page. (CVE-2017-5664)\n\n* A vulnerability was discovered in tomcat. When running an untrusted\napplication under a SecurityManager it was possible, under some\ncircumstances, for that application to retain references to the request or\nresponse objects and thereby access and/or modify information associated\nwith another web application. (CVE-2017-5648)\n\n4. Solution:\n\nBefore applying the update, back up your existing Red Hat JBoss Web Server\ninstallation (including all applications and configuration files). Bugs fixed (https://bugzilla.redhat.com/):\n\n1441205 - CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used\n1441223 - CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object\n1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability\n1459158 - CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJWS-657 - tomcat-native installs RHEL apr in addition to jbcs-httpd24-httpd-libs\nJWS-667 - Subject incorrectly removed from user session\nJWS-695 - tomcat7_t and tomcat8_t domains are in unconfined_domain\nJWS-709 - RPM missing selinux-policy dependency\nJWS-716 - Backport 60087 for Tomcat 8\nJWS-717 - RFC 7230/3986 url requirement that prevents unencoded curly braces should be optional, since it breaks existing sites\nJWS-721 - CORS filter Vary header missing\nJWS-725 - /usr/share/tomcat7 needs world execute permissions to function on openshift v2\nJWS-741 - Configurations in conf.d are not applied\nJWS-760 - [ASF BZ 59961] Provide an option to enable/disable processing of Class-Path entry in a jar's manifest file\n\n7. The purpose of this text-only errata is to inform you about the\nsecurity issues fixed in this release. \n\nSecurity Fix(es):\n\n* bsh2: remote code execution via deserialization (CVE-2016-2510)\n\n* log4j: Socket receiver deserialization vulnerability (CVE-2017-5645)\n\n* uima: XML external entity expansion (XXE) can allow attackers to execute\narbitrary code (CVE-2017-15691)\n\n* mysql-connector-java: Connector/J unspecified vulnerability (CPU October\n2018) (CVE-2018-3258)\n\n* thrift: Improper Access Control grants access to files outside the\nwebservers docroot path (CVE-2018-11798)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\nInstallation instructions are available from the Fuse 7.3.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1310647 - CVE-2016-2510 bsh2: remote code execution via deserialization\n1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability\n1572463 - CVE-2017-15691 uima: XML external entity expansion (XXE) can allow attackers to execute arbitrary code\n1640615 - CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018)\n1667188 - CVE-2018-11798 thrift: Improper Access Control grants access to files outside the webservers docroot path\n\n5. Description:\n\nRed Hat JBoss BPM Suite is a business rules and processes management system\nfor the management, storage, creation, modification, and deployment of\nJBoss rules and BPMN2-compliant business processes. (CVE-2017-5645)\n\n* It was found that XStream contains a vulnerability that allows a\nmaliciously crafted file to be parsed successfully which could cause an\napplication crash. The crash occurs if the file that is being fed into\nXStream input stream contains an instances of the primitive type 'void'. An\nattacker could use this flaw to create a denial of service on the target\nsystem. (CVE-2017-7957)\n\n3. \n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update; after installing the update,\nrestart the server by starting the JBoss Application Server process. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: log4j security update\nAdvisory ID: RHSA-2017:2423-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2017:2423\nIssue date: 2017-08-07\nCVE Names: CVE-2017-5645 \n=====================================================================\n\n1. Summary:\n\nAn update for log4j is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - noarch\nRed Hat Enterprise Linux Client Optional (v. 7) - noarch\nRed Hat Enterprise Linux ComputeNode (v. 7) - noarch\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch\nRed Hat Enterprise Linux Server (v. 7) - noarch\nRed Hat Enterprise Linux Server Optional (v. 7) - noarch\nRed Hat Enterprise Linux Workstation (v. 7) - noarch\nRed Hat Enterprise Linux Workstation Optional (v. 7) - noarch\n\n3. Description:\n\nLog4j is a tool to help the programmer output log statements to a variety\nof output targets. (CVE-2017-5645)\n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability\n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\nlog4j-1.2.17-16.el7_4.src.rpm\n\nnoarch:\nlog4j-1.2.17-16.el7_4.noarch.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nnoarch:\nlog4j-javadoc-1.2.17-16.el7_4.noarch.rpm\nlog4j-manual-1.2.17-16.el7_4.noarch.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\nlog4j-1.2.17-16.el7_4.src.rpm\n\nnoarch:\nlog4j-1.2.17-16.el7_4.noarch.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nnoarch:\nlog4j-javadoc-1.2.17-16.el7_4.noarch.rpm\nlog4j-manual-1.2.17-16.el7_4.noarch.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\nlog4j-1.2.17-16.el7_4.src.rpm\n\nnoarch:\nlog4j-1.2.17-16.el7_4.noarch.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nnoarch:\nlog4j-javadoc-1.2.17-16.el7_4.noarch.rpm\nlog4j-manual-1.2.17-16.el7_4.noarch.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\nlog4j-1.2.17-16.el7_4.src.rpm\n\nnoarch:\nlog4j-1.2.17-16.el7_4.noarch.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nnoarch:\nlog4j-javadoc-1.2.17-16.el7_4.noarch.rpm\nlog4j-manual-1.2.17-16.el7_4.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2017-5645\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is <secalert@redhat.com>. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2017 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFZiCjVXlSAg2UNWIIRAgugAKCX6snTYMAdTmkK1uQ86MGQhkv7ugCdFILV\nuCPrjfU5EG2L7kIu/w1uCSA=\n=Fxz+\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. Description:\n\nThe eap7-jboss-ec2-eap packages provide scripts for Red Hat JBoss\nEnterprise Application Platform running on the Amazon Web Services (AWS)\nElastic Compute Cloud (EC2). (CVE-2017-5645)\n\n* A vulnerability was found in Jasypt that would allow an attacker to\nperform a timing attack on password hash comparison. (CVE-2014-9970)\n\n* It was found that an information disclosure flaw in Bouncy Castle could\nenable a local malicious application to gain access to user's private\ninformation. (CVE-2015-6644)\n\n* It was found that while parsing the SAML messages the StaxParserUtil\nclass of Picketlink replaces special strings for obtaining attribute values\nwith system property. This could allow an attacker to determine values of\nsystem properties at the attacked system by formatting the SAML request ID\nfield to be the chosen system property which could be obtained in the\n\"InResponseTo\" field in the response. (CVE-2017-2582)\n\n* It was found that when the security manager's reflective permissions,\nwhich allows it to access the private members of the class, are granted to\nHibernate Validator, a potential privilege escalation can occur. By\nallowing the calling code to access those private members without the\npermission an attacker may be able to validate an invalid instance and\naccess the private member value via ConstraintViolation#getInvalidValue(). JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-11487 - jboss-ec2-eap for EAP 7.0.8\n\n7. \n(CVE-2017-7525)\n\nRed Hat would like to thank Liao Xinxi (NSFOCUS) for reporting\nCVE-2017-7525", sources: [ { db: "NVD", id: "CVE-2017-5645", }, { db: "JVNDB", id: "JVNDB-2017-003152", }, { db: "BID", id: "97702", }, { db: "VULHUB", id: "VHN-113848", }, { db: "PACKETSTORM", id: "143499", }, { db: "PACKETSTORM", id: "153344", }, { db: "PACKETSTORM", id: "144597", }, { db: "PACKETSTORM", id: "144019", }, { db: "PACKETSTORM", id: "144013", }, { db: "PACKETSTORM", id: "143670", }, { db: "PACKETSTORM", id: "144359", }, { db: "PACKETSTORM", id: "144018", }, ], trust: 2.7, }, external_ids: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { db: "NVD", id: "CVE-2017-5645", trust: 3, }, { db: "BID", id: "97702", trust: 1.4, }, { db: "OPENWALL", id: "OSS-SECURITY/2019/12/19/2", trust: 1.1, }, { db: "SECTRACK", id: "1041294", trust: 1.1, }, { db: "SECTRACK", id: "1040200", trust: 1.1, }, { db: "JVNDB", id: "JVNDB-2017-003152", trust: 0.8, }, { db: "PACKETSTORM", id: "144018", trust: 0.2, }, { db: "PACKETSTORM", id: "144013", trust: 0.2, }, { db: "PACKETSTORM", id: "143670", trust: 0.2, }, { db: "PACKETSTORM", id: "144597", trust: 0.2, }, { db: "PACKETSTORM", id: "143499", trust: 0.2, }, { db: "PACKETSTORM", id: "144019", trust: 0.2, }, { db: "PACKETSTORM", id: "145263", trust: 0.1, }, { db: "PACKETSTORM", id: "143500", trust: 0.1, }, { db: "PACKETSTORM", id: "144014", trust: 0.1, }, { db: "PACKETSTORM", id: "144017", trust: 0.1, }, { db: "PACKETSTORM", id: "144596", trust: 0.1, }, { db: "PACKETSTORM", id: "145262", trust: 0.1, }, { db: "PACKETSTORM", id: "142856", trust: 0.1, }, { db: "CNNVD", id: "CNNVD-201704-852", trust: 0.1, }, { db: "SEEBUG", id: "SSVID-92965", trust: 0.1, }, { db: "VULHUB", id: "VHN-113848", trust: 0.1, }, { db: "PACKETSTORM", id: "153344", trust: 0.1, }, { db: "PACKETSTORM", id: "144359", trust: 0.1, }, ], sources: [ { db: "VULHUB", id: "VHN-113848", }, { db: "BID", id: "97702", }, { db: "JVNDB", id: "JVNDB-2017-003152", }, { db: "PACKETSTORM", id: "143499", }, { db: "PACKETSTORM", id: "153344", }, { db: "PACKETSTORM", id: "144597", }, { db: "PACKETSTORM", id: "144019", }, { db: "PACKETSTORM", id: "144013", }, { db: "PACKETSTORM", id: "143670", }, { db: "PACKETSTORM", id: "144359", }, { db: "PACKETSTORM", id: "144018", }, { db: "NVD", id: "CVE-2017-5645", }, ], }, id: "VAR-201704-1589", iot: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: true, sources: [ { db: "VULHUB", id: "VHN-113848", }, ], trust: 0.01, }, last_update_date: "2024-11-29T21:55:35.270000Z", patch: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { title: "LOG4J2-1863", trust: 0.8, url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, ], sources: [ { db: "JVNDB", id: "JVNDB-2017-003152", }, ], }, problemtype_data: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { problemtype: "CWE-502", trust: 1.9, }, ], sources: [ { db: "VULHUB", id: "VHN-113848", }, { db: "JVNDB", id: "JVNDB-2017-003152", }, { db: "NVD", id: "CVE-2017-5645", }, ], }, references: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", data: { "@container": "@list", }, sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: [ { trust: 1.6, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5645", }, { trust: 1.4, url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { trust: 1.4, url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { trust: 1.4, url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { trust: 1.4, url: "https://issues.apache.org/jira/browse/log4j2-1863", }, { trust: 1.4, url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { trust: 1.4, url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { trust: 1.4, url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { trust: 1.2, url: "https://access.redhat.com/errata/rhsa-2017:1801", }, { trust: 1.2, url: "https://access.redhat.com/errata/rhsa-2017:2423", }, { trust: 1.2, url: "https://access.redhat.com/errata/rhsa-2017:2633", }, { trust: 1.2, url: "https://access.redhat.com/errata/rhsa-2017:2637", }, { trust: 1.2, url: "https://access.redhat.com/errata/rhsa-2017:2638", }, { trust: 1.2, url: "https://access.redhat.com/errata/rhsa-2017:2811", }, { trust: 1.2, url: "https://access.redhat.com/errata/rhsa-2017:2889", }, { trust: 1.2, url: "https://access.redhat.com/errata/rhsa-2019:1545", }, { trust: 1.1, url: "http://www.securityfocus.com/bid/97702", }, { trust: 1.1, url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { trust: 1.1, url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { trust: 1.1, url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuapr2021.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { trust: 1.1, url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { trust: 1.1, url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { trust: 1.1, url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:1417", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:1802", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:2635", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:2636", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:2808", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:2809", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:2810", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:2888", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:3244", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:3399", }, { trust: 1.1, url: "https://access.redhat.com/errata/rhsa-2017:3400", }, { trust: 1.1, url: "http://www.securitytracker.com/id/1040200", }, { trust: 1.1, url: "http://www.securitytracker.com/id/1041294", }, { trust: 1.1, url: "https://access.redhat.com/security/cve/cve-2017-5645", }, { trust: 1, url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc%40%3cdev.logging.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3cissues.bookkeeper.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287%40%3cissues.beam.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44%40%3cgithub.beam.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d%40%3ccommits.logging.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422%40%3ccommits.doris.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3cissues.geode.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83%40%3cgithub.beam.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd%40%3cgithub.beam.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8%40%3cgithub.beam.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3cissues.activemq.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9%40%3cdev.logging.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3cdev.logging.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3ccommits.druid.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3cannounce.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3cdev.tika.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f%40%3cgithub.beam.apache.org%3e", }, { trust: 1, url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3cissues.activemq.apache.org%3e", }, { trust: 0.8, url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-5645", }, { trust: 0.8, url: "https://www.redhat.com/mailman/listinfo/rhsa-announce", }, { trust: 0.8, url: "https://bugzilla.redhat.com/):", }, { trust: 0.8, url: "https://access.redhat.com/security/team/contact/", }, { trust: 0.8, url: "https://access.redhat.com/security/updates/classification/#important", }, { trust: 0.5, url: "https://access.redhat.com/security/team/key/", }, { trust: 0.5, url: "https://access.redhat.com/articles/11258", }, { trust: 0.4, url: "https://access.redhat.com/security/cve/cve-2017-5664", }, { trust: 0.4, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5664", }, { trust: 0.3, url: "http://seclists.org/oss-sec/2017/q2/78", }, { trust: 0.3, url: "https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc19215827db29c993d0305ee2b0d8dd05939d", }, { trust: 0.3, url: "http://www.apache.org/", }, { trust: 0.3, url: "https://logging.apache.org/log4j/2.x/", }, { trust: 0.3, url: "https://access.redhat.com/security/cve/cve-2017-7525", }, { trust: 0.3, url: "https://nvd.nist.gov/vuln/detail/cve-2017-7525", }, { trust: 0.3, url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform?version=6.4/", }, { trust: 0.2, url: "https://issues.jboss.org/):", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3cissues.activemq.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917@%3cannounce.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd@%3cgithub.beam.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f@%3cgithub.beam.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8@%3cgithub.beam.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83@%3cgithub.beam.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44@%3cgithub.beam.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287@%3cissues.beam.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3cissues.bookkeeper.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422@%3ccommits.doris.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3ccommits.druid.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3cissues.geode.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d@%3ccommits.logging.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc@%3cdev.logging.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125@%3cdev.logging.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9@%3cdev.logging.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3cdev.tika.apache.org%3e", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-5647", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5647", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-5648", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-5648", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2016-2510", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-3258", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-15691", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions&product=jboss.fuse&version=7.3.1", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2018-11798", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-11798", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2016-2510", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2018-3258", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-15691", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.3/", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en/red-hat-jboss-bpm-suite/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-7957", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=bpm.suite&downloadtype=securitypatches&version=6.4", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-7957", }, { trust: 0.1, url: "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform&downloadtype=securitypatches&version=6.4", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-7536", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/installation-guide/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2015-6644", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-7536", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2014-9970", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2015-6644", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2014-9970", }, { trust: 0.1, url: "https://nvd.nist.gov/vuln/detail/cve-2017-2582", }, { trust: 0.1, url: "https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/", }, { trust: 0.1, url: "https://access.redhat.com/security/cve/cve-2017-2582", }, ], sources: [ { db: "VULHUB", id: "VHN-113848", }, { db: "BID", id: "97702", }, { db: "JVNDB", id: "JVNDB-2017-003152", }, { db: "PACKETSTORM", id: "143499", }, { db: "PACKETSTORM", id: "153344", }, { db: "PACKETSTORM", id: "144597", }, { db: "PACKETSTORM", id: "144019", }, { db: "PACKETSTORM", id: "144013", }, { db: "PACKETSTORM", id: "143670", }, { db: "PACKETSTORM", id: "144359", }, { db: "PACKETSTORM", id: "144018", }, { db: "NVD", id: "CVE-2017-5645", }, ], }, sources: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", data: { "@container": "@list", }, }, data: [ { db: "VULHUB", id: "VHN-113848", }, { db: "BID", id: "97702", }, { db: "JVNDB", id: "JVNDB-2017-003152", }, { db: "PACKETSTORM", id: "143499", }, { db: "PACKETSTORM", id: "153344", }, { db: "PACKETSTORM", id: "144597", }, { db: "PACKETSTORM", id: "144019", }, { db: "PACKETSTORM", id: "144013", }, { db: "PACKETSTORM", id: "143670", }, { db: "PACKETSTORM", id: "144359", }, { db: "PACKETSTORM", id: "144018", }, { db: "NVD", id: "CVE-2017-5645", }, ], }, sources_release_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", data: { "@container": "@list", }, }, data: [ { date: "2017-04-17T00:00:00", db: "VULHUB", id: "VHN-113848", }, { date: "2017-04-17T00:00:00", db: "BID", id: "97702", }, { date: "2017-05-18T00:00:00", db: "JVNDB", id: "JVNDB-2017-003152", }, { date: "2017-07-25T23:14:47", db: "PACKETSTORM", id: "143499", }, { date: "2019-06-19T17:19:04", db: "PACKETSTORM", id: "153344", }, { date: "2017-10-12T23:35:39", db: "PACKETSTORM", id: "144597", }, { date: "2017-09-06T04:16:42", db: "PACKETSTORM", id: "144019", }, { date: "2017-09-05T23:23:00", db: "PACKETSTORM", id: "144013", }, { date: "2017-08-07T14:42:00", db: "PACKETSTORM", id: "143670", }, { date: "2017-09-27T06:16:15", db: "PACKETSTORM", id: "144359", }, { date: "2017-09-06T04:16:37", db: "PACKETSTORM", id: "144018", }, { date: "2017-04-17T21:59:00.373000", db: "NVD", id: "CVE-2017-5645", }, ], }, sources_update_date: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", data: { "@container": "@list", }, }, data: [ { date: "2020-10-20T00:00:00", db: "VULHUB", id: "VHN-113848", }, { date: "2019-07-17T07:00:00", db: "BID", id: "97702", }, { date: "2017-05-18T00:00:00", db: "JVNDB", id: "JVNDB-2017-003152", }, { date: "2024-11-21T03:28:05.320000", db: "NVD", id: "CVE-2017-5645", }, ], }, threat_type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "remote", sources: [ { db: "PACKETSTORM", id: "144019", }, { db: "PACKETSTORM", id: "144013", }, { db: "PACKETSTORM", id: "143670", }, { db: "PACKETSTORM", id: "144018", }, ], trust: 0.4, }, title: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "Apache Log4j Vulnerable to unreliable data deserialization", sources: [ { db: "JVNDB", id: "JVNDB-2017-003152", }, ], trust: 0.8, }, type: { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", sources: { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", }, }, }, data: "arbitrary", sources: [ { db: "PACKETSTORM", id: "144019", }, { db: "PACKETSTORM", id: "144013", }, { db: "PACKETSTORM", id: "143670", }, { db: "PACKETSTORM", id: "144018", }, ], trust: 0.4, }, }